From acf631f26959c196d956a36a138dd8739a456bcf Mon Sep 17 00:00:00 2001
From: Itamar Oren <itamarost@gmail.com>
Date: Mon, 15 Jun 2026 16:48:16 -0700
Subject: [PATCH] gh-151519: Check effective gid in `_test_all_chown_common`
 group-0 guard

The guard that skips the "chown to gid 0 should fail" assertion used
only `os.getgroups()` (supplementary groups). The kernel also accepts
the effective/filesystem gid for chown, so when a process runs with
egid 0 and a non-zero uid (common in containers and user namespaces),
chown(-1, 0) succeeds and the assertion spuriously fails.

Add an `os.getegid() != 0` check alongside the existing
`0 not in os.getgroups()` guard.
---
 Lib/test/test_os/test_posix.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Lib/test/test_os/test_posix.py b/Lib/test/test_os/test_posix.py
index 1395156539a1637..8e83fa21dae6e22 100644
--- a/Lib/test/test_os/test_posix.py
+++ b/Lib/test/test_os/test_posix.py
@@ -901,7 +901,9 @@ def check_stat(uid, gid):
             self.assertRaises(OSError, chown_func, first_param, 0, -1)
             check_stat(uid, gid)
             if hasattr(os, 'getgroups'):
-                if 0 not in os.getgroups():
+                # Also check the effective gid, which the kernel
+                # accepts for chown even if not in getgroups().
+                if 0 not in os.getgroups() and os.getegid() != 0:
                     self.assertRaises(OSError, chown_func, first_param, -1, 0)
                     check_stat(uid, gid)
         # test illegal types