test(sandbox): split drop_privileges test to unblock non-root CI#623
Open
test(sandbox): split drop_privileges test to unblock non-root CI#623
Conversation
The drop_privileges_succeeds_for_current_user test failed on non-root systems because initgroups(3) requires CAP_SETGID even when switching to the current user. Add a new drop_privileges_succeeds_for_current_group test that omits run_as_user, bypassing initgroups while still exercising setgid() and the GID post-condition verification. Mark the original full-path test with #[ignore] so it can be run explicitly as root. Fixes #622
elezar
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
drop_privileges_succeeds_for_current_userfailed on non-root systems becauseinitgroups(3)requiresCAP_SETGIDeven when switching to the current user. This splits the test into a non-root-safe variant that still exercises thesetgid()+ GID verification path, and marks the full path as#[ignore]for explicit root-only runs.Related Issue
Closes #622
Changes
drop_privileges_succeeds_for_current_group: sets onlyrun_as_group(norun_as_user), bypassinginitgroups. Exercisessetgid()and the GID post-condition verification without root. Runs on everycargo test.drop_privileges_succeeds_for_current_userwith#[ignore = "initgroups(3) requires CAP_SETGID; run as root: sudo cargo test -- --ignored"]. Full path (includinginitgroups,setuid, root-reacquisition check) still reachable explicitly.Testing
mise run pre-commitpassesChecklist