Skip some tests which don't work under permissionless containers

When running as UID 0 but without CAP_DAC_OVERRIDE (for example, in a docker container running with --uid 0 but --cap-drop=all), these tests won't work because of hard-coded assumptions about what uid 0 can and can't do.
author: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> 2024-08-08 21:24:13 +1000
committer: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> 2024-08-23 09:34:41 +1000
commit: 8800127d80fb1063a186ced65af445e79a518924 (patch)
tree: a708756994a29730cd7c63e187586bb2be4ffc60 /test/fileutils
parent: 165635049a2f5af83efe2bd64b08e7b59e925e18 (diff)
1 files changed, 14 insertions, 2 deletions
diff --git a/test/fileutils/test_fileutils.rb b/test/fileutils/test_fileutils.rb
index 481f913d0c..d2096a04cc 100644
--- a/test/fileutils/test_fileutils.rb
+++ b/test/fileutils/test_fileutils.rb
@@ -93,12 +93,24 @@ class TestFileUtils < Test::Unit::TestCase
       @@no_broken_symlink
     end
 
+    def has_capsh?
+      !!system('capsh', '--print', out: File::NULL, err: File::NULL)
+    end
+
+    def has_root_file_capabilities?
+      !!system(
+        'capsh', '--has-p=CAP_DAC_OVERRIDE', '--has-p=CAP_CHOWN', '--has-p=CAP_FOWNER',
+        out: File::NULL, err: File::NULL
+      )
+    end
+
     def root_in_posix?
       if /cygwin/ =~ RUBY_PLATFORM
         # FIXME: privilege if groups include root user?
         return Process.groups.include?(0)
-      end
-      if Process.respond_to?('uid')
+      elsif has_capsh?
+        return has_root_file_capabilities?
+      elsif Process.respond_to?('uid')
         return Process.uid == 0
       else
         return false
author	KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>	2024-08-08 21:24:13 +1000
committer	KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>	2024-08-23 09:34:41 +1000
commit	8800127d80fb1063a186ced65af445e79a518924 (patch)
tree	a708756994a29730cd7c63e187586bb2be4ffc60 /test/fileutils
parent	165635049a2f5af83efe2bd64b08e7b59e925e18 (diff)