feat: detect hidden group access via newgrp (gshadow desync) (#625)

* feat: detect hidden group access via newgrp (gshadow desync) Problem: groups/id only show current session memberships Fix: probe all system groups via newgrp to detect accessible groups not shown Impact: identifies hidden access (docker, lxd, etc.) missed by standard checks Real case: user present in gshadow docker group but not reflected in session newgrp docker succeeds -> container escape -> root * Update linPEAS/builder/linpeas_parts/6_users_information/19_Actual_groups.sh fixed the command-injection vector. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Muthra <muthra@example.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: SirBroccoli <carlospolop@gmail.com>
2026-04-28 11:53:22 -07:00 · 2026-03-23 20:59:33 +05:30
parent b8528da949
commit ac31bcefab
1 changed files with 34 additions and 0 deletions
--- a/linPEAS/builder/linpeas_parts/6_users_information/19_Actual_groups.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/19_Actual_groups.sh
@@ -0,0 +1,34 @@
+# Title: Users Information - Actual Group Memberships via newgrp
+# ID: UG_Actual_groups
+# Author: Muthra
+# Last Update: 23-03-2026
+# Description: Detects actual group memberships via newgrp (catches /etc/gshadow vs /etc/group desync)
+# License: GNU GPL
+# Version: 1.0
+# Mitre: T1069.001
+# Functions Used: print_2title
+# Global Variables: $groupsVB, $groupsB, $Groups
+# Initial Functions:
+# Generated Global Variables:  $ActualGroup, $groupname, $gid, $result
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Actual Group Memberships via newgrp" "T1069.001"
+
+# Skip this probe when running as root to avoid root-only newgrp behavior
+if [ "${IAMROOT:-0}" != "1" ]; then
+    ActualGroup="|"
+
+    while IFS=: read -r groupname _ gid _; do
+        result=$(timeout 1 sh -c "echo id | newgrp \"$groupname\"" 2>/dev/null)
+        if echo "$result" | grep -q "uid="; then
+            if ! echo "${Groups}|" | grep -Fq "|${groupname}|"; then
+                ActualGroup="${ActualGroup}${groupname}|"
+                echo "Accessible group not shown in id: $groupname (gid=$gid)" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$groupsB,${SED_RED},g"
+            fi
+        fi
+    done < /etc/group
+
+    echo ""
+fi