Skip to content

gh-151519: Check effective gid in _test_all_chown_common group-0 guard#151521

Merged
Yhg1s merged 1 commit into
python:mainfrom
itamaro:gh-151519-test-posix-egid
Jun 16, 2026
Merged

gh-151519: Check effective gid in _test_all_chown_common group-0 guard#151521
Yhg1s merged 1 commit into
python:mainfrom
itamaro:gh-151519-test-posix-egid

Conversation

@itamaro

@itamaro itamaro commented Jun 16, 2026
edited by bedevere-app Bot
Loading

Copy link
Copy Markdown
Contributor

The guard that skips the "chown to gid 0 should fail" assertion used only os.getgroups() (supplementary groups). The kernel also accepts the effective/filesystem gid for chown, so when a process runs with egid 0 and a non-zero uid (common in containers and user namespaces), chown(-1, 0) succeeds and the assertion spuriously fails.

Add an os.getegid() != 0 check alongside the existing 0 not in os.getgroups() guard.

@itamaro
pythongh-151519: Check effective gid in _test_all_chown_common grou…
acf631f 
…p-0 guard

The guard that skips the "chown to gid 0 should fail" assertion used
only `os.getgroups()` (supplementary groups). The kernel also accepts
the effective/filesystem gid for chown, so when a process runs with
egid 0 and a non-zero uid (common in containers and user namespaces),
chown(-1, 0) succeeds and the assertion spuriously fails.

Add an `os.getegid() != 0` check alongside the existing
`0 not in os.getgroups()` guard.
@itamaro itamaro added tests Tests in the Lib/test dir skip news needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes labels Jun 16, 2026
@bedevere-app bedevere-app Bot mentioned this pull request Jun 16, 2026
Closed
@Yhg1s Yhg1s merged commit 2ce2600 into python:main Jun 16, 2026
99 of 101 checks passed
@miss-islington-app

miss-islington-app Bot commented Jun 16, 2026

Copy link
Copy Markdown

Thanks @itamaro for the PR, and @Yhg1s for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14, 3.15.
🐍🍒⛏🤖

@bedevere-app

bedevere-app Bot commented Jun 16, 2026

Copy link
Copy Markdown

GH-151549 is a backport of this pull request to the 3.15 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.15 pre-release feature fixes, bugs and security fixes label Jun 16, 2026
@bedevere-app

bedevere-app Bot commented Jun 16, 2026

Copy link
Copy Markdown

GH-151550 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Jun 16, 2026
@bedevere-app

bedevere-app Bot commented Jun 16, 2026

Copy link
Copy Markdown

GH-151551 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label Jun 16, 2026
itamaro added a commit that referenced this pull request Jun 16, 2026
@miss-islington @itamaro
[3.13] gh-151519: Check effective gid in _test_all_chown_common gro…
733411a 
…up-0 guard (GH-151521) (#151551)

gh-151519: Check effective gid in `_test_all_chown_common` group-0 guard (GH-151521)

The guard that skips the "chown to gid 0 should fail" assertion used
only `os.getgroups()` (supplementary groups). The kernel also accepts
the effective/filesystem gid for chown, so when a process runs with
egid 0 and a non-zero uid (common in containers and user namespaces),
chown(-1, 0) succeeds and the assertion spuriously fails.

Add an `os.getegid() != 0` check alongside the existing
`0 not in os.getgroups()` guard.
(cherry picked from commit 2ce2600)

Co-authored-by: Itamar Oren <itamarost@gmail.com>
itamaro added a commit that referenced this pull request Jun 16, 2026
@miss-islington @itamaro
[3.14] gh-151519: Check effective gid in _test_all_chown_common gro…
af459e5 
…up-0 guard (GH-151521) (#151550)

gh-151519: Check effective gid in `_test_all_chown_common` group-0 guard (GH-151521)

The guard that skips the "chown to gid 0 should fail" assertion used
only `os.getgroups()` (supplementary groups). The kernel also accepts
the effective/filesystem gid for chown, so when a process runs with
egid 0 and a non-zero uid (common in containers and user namespaces),
chown(-1, 0) succeeds and the assertion spuriously fails.

Add an `os.getegid() != 0` check alongside the existing
`0 not in os.getgroups()` guard.
(cherry picked from commit 2ce2600)

Co-authored-by: Itamar Oren <itamarost@gmail.com>
itamaro added a commit that referenced this pull request Jun 16, 2026
@miss-islington @itamaro
[3.15] gh-151519: Check effective gid in _test_all_chown_common gro…
19bf6a3 
…up-0 guard (GH-151521) (#151549)

gh-151519: Check effective gid in `_test_all_chown_common` group-0 guard (GH-151521)

The guard that skips the "chown to gid 0 should fail" assertion used
only `os.getgroups()` (supplementary groups). The kernel also accepts
the effective/filesystem gid for chown, so when a process runs with
egid 0 and a non-zero uid (common in containers and user namespaces),
chown(-1, 0) succeeds and the assertion spuriously fails.

Add an `os.getegid() != 0` check alongside the existing
`0 not in os.getgroups()` guard.
(cherry picked from commit 2ce2600)

Co-authored-by: Itamar Oren <itamarost@gmail.com>
@itamaro itamaro deleted the gh-151519-test-posix-egid branch June 16, 2026 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip news tests Tests in the Lib/test dir

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itamaro @Yhg1s