ssh/tailssh: limit setgroups to 16 on macOS

Fixes #4938

Signed-off-by: Adam Eijdenberg <adam@continusec.com>

ssh/tailssh/incubator.go

@@ -225,7 +225,8 @@ func beIncubator(args []string) error {
 		}
 		groupIDs = append(groupIDs, int(gid))
 	}
-	if err := syscall.Setgroups(groupIDs); err != nil {
+
+	if err := setGroups(groupIDs); err != nil {
 		return err
 	}
 	if egid := os.Getegid(); egid != ia.gid {

ssh/tailssh/incubator_darwin.go

@@ -4,6 +4,18 @@
 
 package tailssh
 
+import "syscall"
+
 func (ia *incubatorArgs) loginArgs() []string {
 	return []string{ia.loginCmdPath, "-fp", "-h", ia.remoteIP, ia.localUser}
 }
+
+func setGroups(groupIDs []int) error {
+	// darwin returns "invalid argument" if more than 16 groups are passed to syscall.Setgroups
+	// some info can be found here:
+	// https://opensource.apple.com/source/samba/samba-187.8/patches/support-darwin-initgroups-syscall.auto.html
+	// this fix isn't great, as anyone reading this has probably just wasted hours figuring out why
+	// some permissions thing isn't working, due to some arbitrary group ordering, but it at least allows
+	// this to work for more things than it previously did.
+	return syscall.Setgroups(groupIDs[:16])
+}

ssh/tailssh/incubator_linux.go

@@ -177,3 +177,7 @@ func maybeStartLoginSessionLinux(logf logger.Logf, ia incubatorArgs) (func() err
 func (ia *incubatorArgs) loginArgs() []string {
 	return []string{ia.loginCmdPath, "-f", ia.localUser, "-h", ia.remoteIP, "-p"}
 }
+
+func setGroups(groupIDs []int) error {
+	return syscall.Setgroups(groupIDs)
+}