feat: detect hidden group access via newgrp (gshadow desync) (#625)

* feat: detect hidden group access via newgrp (gshadow desync) Problem: groups/id only show current session memberships Fix: probe all system groups via newgrp to detect accessible groups not shown Impact: identifies hidden access (docker, lxd, etc.) missed by standard checks Real case: user present in gshadow docker group but not reflected in session newgrp docker succeeds -> container escape -> root * Update linPEAS/builder/linpeas_parts/6_users_information/19_Actual_groups.sh fixed the command-injection vector. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Muthra <muthra@example.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: SirBroccoli <carlospolop@gmail.com>
2026-04-28 11:53:22 -07:00 · 2026-03-23 20:59:33 +05:30
parent b8528da949
commit ac31bcefab
1 changed files with 34 additions and 0 deletions
--- a/linPEAS/builder/linpeas_parts/6_users_information/19_Actual_groups.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/19_Actual_groups.sh
@@ -0,0 +1,34 @@
 # Title: Users Information - Actual Group Memberships via newgrp
 # ID: UG_Actual_groups
 # Author: Muthra
 # Last Update: 23-03-2026
 # Description: Detects actual group memberships via newgrp (catches /etc/gshadow vs /etc/group desync)
 # License: GNU GPL
 # Version: 1.0
 # Mitre: T1069.001
 # Functions Used: print_2title
 # Global Variables: $groupsVB, $groupsB, $Groups
 # Initial Functions:
 # Generated Global Variables:  $ActualGroup, $groupname, $gid, $result
 # Fat linpeas: 0
 # Small linpeas: 1
 print_2title "Actual Group Memberships via newgrp" "T1069.001"
 # Skip this probe when running as root to avoid root-only newgrp behavior
 if [ "${IAMROOT:-0}" != "1" ]; then
    ActualGroup="|"
    while IFS=: read -r groupname _ gid _; do
        result=$(timeout 1 sh -c "echo id | newgrp \"$groupname\"" 2>/dev/null)
        if echo "$result" | grep -q "uid="; then
            if ! echo "${Groups}|" | grep -Fq "|${groupname}|"; then
                ActualGroup="${ActualGroup}${groupname}|"
                echo "Accessible group not shown in id: $groupname (gid=$gid)" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$groupsB,${SED_RED},g"
            fi
        fi
    done < /etc/group
    echo ""
 fi