https://github.com/python/cpython/commit/19bf6a3fa1d1497f8b73f971df07109f2da000ca commit: 19bf6a3fa1d1497f8b73f971df07109f2da000ca branch: 3.15 author: Miss Islington (bot) <[email protected]> committer: itamaro <[email protected]> date: 2026-06-16T09:42:24-07:00 summary:
[3.15] gh-151519: Check effective gid in `_test_all_chown_common` group-0 guard (GH-151521) (#151549) gh-151519: Check effective gid in `_test_all_chown_common` group-0 guard (GH-151521) The guard that skips the "chown to gid 0 should fail" assertion used only `os.getgroups()` (supplementary groups). The kernel also accepts the effective/filesystem gid for chown, so when a process runs with egid 0 and a non-zero uid (common in containers and user namespaces), chown(-1, 0) succeeds and the assertion spuriously fails. Add an `os.getegid() != 0` check alongside the existing `0 not in os.getgroups()` guard. (cherry picked from commit 2ce260033b457a0ad2c9767a1d9902bef5a30b0e) Co-authored-by: Itamar Oren <[email protected]> files: M Lib/test/test_os/test_posix.py diff --git a/Lib/test/test_os/test_posix.py b/Lib/test/test_os/test_posix.py index 0e8495a4eff2ed4..a1ffd4fbe8cf2be 100644 --- a/Lib/test/test_os/test_posix.py +++ b/Lib/test/test_os/test_posix.py @@ -899,7 +899,9 @@ def check_stat(uid, gid): self.assertRaises(OSError, chown_func, first_param, 0, -1) check_stat(uid, gid) if hasattr(os, 'getgroups'): - if 0 not in os.getgroups(): + # Also check the effective gid, which the kernel + # accepts for chown even if not in getgroups(). + if 0 not in os.getgroups() and os.getegid() != 0: self.assertRaises(OSError, chown_func, first_param, -1, 0) check_stat(uid, gid) # test illegal types _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
