[3.15] gh-151519: Check effective gid in _test_all_chown_common group-0 guard (GH-151521) (#151549)

gh-151519: Check effective gid in `_test_all_chown_common` group-0 guard (GH-151521) The guard that skips the "chown to gid 0 should fail" assertion used only `os.getgroups()` (supplementary groups). The kernel also accepts the effective/filesystem gid for chown, so when a process runs with egid 0 and a non-zero uid (common in containers and user namespaces), chown(-1, 0) succeeds and the assertion spuriously fails. Add an `os.getegid() != 0` check alongside the existing `0 not in os.getgroups()` guard. (cherry picked from commit 2ce260033b) Co-authored-by: Itamar Oren <itamarost@gmail.com>
2026-06-28 03:41:13 +00:00 · 2026-06-16 18:42:24 +02:00 · 2026-06-16 18:42:24 +02:00 · 19bf6a3fa1
commit 19bf6a3fa1
parent ab61101f96
1 changed files with 3 additions and 1 deletions
--- a/Lib/test/test_os/test_posix.py
+++ b/Lib/test/test_os/test_posix.py
@ -899,7 +899,9 @@ def check_stat(uid, gid):
            self.assertRaises(OSError, chown_func, first_param, 0, -1)
            check_stat(uid, gid)
            if hasattr(os, 'getgroups'):
-                if 0 not in os.getgroups():
+                # Also check the effective gid, which the kernel
+                # accepts for chown even if not in getgroups().
+                if 0 not in os.getgroups() and os.getegid() != 0:
                    self.assertRaises(OSError, chown_func, first_param, -1, 0)
                    check_stat(uid, gid)
        # test illegal types