https://github.com/python/cpython/commit/af459e5e3206bf1469b6940e058e7d4bd44c5af8 commit: af459e5e3206bf1469b6940e058e7d4bd44c5af8 branch: 3.14 author: Miss Islington (bot) <[email protected]> committer: itamaro <[email protected]> date: 2026-06-16T09:42:20-07:00 summary:
[3.14] gh-151519: Check effective gid in `_test_all_chown_common` group-0 guard (GH-151521) (#151550) gh-151519: Check effective gid in `_test_all_chown_common` group-0 guard (GH-151521) The guard that skips the "chown to gid 0 should fail" assertion used only `os.getgroups()` (supplementary groups). The kernel also accepts the effective/filesystem gid for chown, so when a process runs with egid 0 and a non-zero uid (common in containers and user namespaces), chown(-1, 0) succeeds and the assertion spuriously fails. Add an `os.getegid() != 0` check alongside the existing `0 not in os.getgroups()` guard. (cherry picked from commit 2ce260033b457a0ad2c9767a1d9902bef5a30b0e) Co-authored-by: Itamar Oren <[email protected]> files: M Lib/test/test_posix.py diff --git a/Lib/test/test_posix.py b/Lib/test/test_posix.py index a895d57d1ffec1..31657bdc9d4476 100644 --- a/Lib/test/test_posix.py +++ b/Lib/test/test_posix.py @@ -838,7 +838,9 @@ def check_stat(uid, gid): self.assertRaises(OSError, chown_func, first_param, 0, -1) check_stat(uid, gid) if hasattr(os, 'getgroups'): - if 0 not in os.getgroups(): + # Also check the effective gid, which the kernel + # accepts for chown even if not in getgroups(). + if 0 not in os.getgroups() and os.getegid() != 0: self.assertRaises(OSError, chown_func, first_param, -1, 0) check_stat(uid, gid) # test illegal types _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
