also check supplementary groups for write access in traverse_secure_open

squell · squell · commit b5bbd7402160 · 2025-11-05T15:33:24.000+01:00
diff --git a/src/system/audit.rs b/src/system/audit.rs
@@ -262,7 +262,7 @@ fn traversed_secure_open(path: impl AsRef<Path>, forbidden_user: &User) -> io::R
 
         if perms & mode(Category::World, Op::Write) != 0
             || (perms & mode(Category::Group, Op::Write) != 0)
-                && forbidden_user.gid.inner() == meta.gid()
+                && forbidden_user.in_group_by_gid(GroupId::new(meta.gid()))
             || (perms & mode(Category::Owner, Op::Write) != 0)
                 && forbidden_user.uid.inner() == meta.uid()
         {

Original file line number	Diff line number	Diff line change
`@@ -262,7 +262,7 @@ fn traversed_secure_open(path: impl AsRef<Path>, forbidden_user: &User) -> io::R`
`262`	`262`
`263`	`263`	`if perms & mode(Category::World, Op::Write) != 0`
`264`	`264`	`\|\| (perms & mode(Category::Group, Op::Write) != 0)`
`265`		`- && forbidden_user.gid.inner() == meta.gid()`
	`265`	`+ && forbidden_user.in_group_by_gid(GroupId::new(meta.gid()))`
`266`	`266`	`\|\| (perms & mode(Category::Owner, Op::Write) != 0)`
`267`	`267`	`&& forbidden_user.uid.inner() == meta.uid()`
`268`	`268`	`{`