bpo-36046: posix_spawn() doesn't support uid/gid (GH-16384)

* subprocess.Popen now longer uses posix_spawn() if uid, gid or gids are set. * test_subprocess: add "nobody" and "nfsnobody" group names for test_group(). * test_subprocess: test_user() and test_group() are now also tested with close_fds=False.

bpo-36046: posix_spawn() doesn't support uid/gid (GH-16384)
* subprocess.Popen now longer uses posix_spawn() if uid, gid or gids are set. * test_subprocess: add "nobody" and "nfsnobody" group names for test_group(). * test_subprocess: test_user() and test_group() are now also tested with close_fds=False.
faca8553 · Victor Stinner · T. Wouters · 1dc1acbd · faca8553 · faca8553
Commit faca8553 authored Sep 25, 2019 by Victor Stinner Committed by T. Wouters Sep 25, 2019
Show whitespace changes
Inline Side-by-side

Showing with 42 additions and 34 deletions

Lib/subprocess.py Lib/subprocess.py +4 -1

Lib/test/test_subprocess.py Lib/test/test_subprocess.py +38 -33

No files found.
--- a/Lib/subprocess.py
+++ b/Lib/subprocess.py
@@ -1681,7 +1681,10 @@ class Popen(object):
                    and (p2cread == -1 or p2cread > 2)
                    and (c2pwrite == -1 or c2pwrite > 2)
                    and (errwrite == -1 or errwrite > 2)
-                    and not start_new_session):
+                    and not start_new_session
+                    and gid is None
+                    and gids is None
+                    and uid is None):
                self._posix_spawn(args, executable, env, restore_signals,
                                  p2cread, p2cwrite,
                                  c2pread, c2pwrite,

--- a/Lib/test/test_subprocess.py
+++ b/Lib/test/test_subprocess.py
@@ -1589,7 +1589,7 @@ class RunFuncTestCase(BaseTestCase):
 def _get_test_grp_name():
-    for name_group in ('staff', 'nogroup', 'grp'):
+    for name_group in ('staff', 'nogroup', 'grp', 'nobody', 'nfsnobody'):
        if grp:
            try:
                grp.getgrnam(name_group)
@@ -1768,13 +1768,16 @@ class POSIXProcessTestCase(BaseTestCase):
            test_users.append(name_uid)
        for user in test_users:
-            with self.subTest(user=user):
+            # posix_spawn() may be used with close_fds=False
+            for close_fds in (False, True):
+                with self.subTest(user=user, close_fds=close_fds):
                    try:
                        output = subprocess.check_output(
                                [sys.executable, "-c",
                                 "import os; print(os.getuid())"],
-                            user=user)
+                                user=user,
-                except PermissionError:  # errno.EACCES
+                                close_fds=close_fds)
+                    except PermissionError:  # (EACCES, EPERM)
                        pass
                    except OSError as e:
                        if e.errno not in (errno.EACCES, errno.EPERM):
@@ -1809,15 +1812,17 @@ class POSIXProcessTestCase(BaseTestCase):
            group_list.append(name_group)
        for group in group_list + [gid]:
-            with self.subTest(group=group):
+            # posix_spawn() may be used with close_fds=False
+            for close_fds in (False, True):
+                with self.subTest(group=group, close_fds=close_fds):
                    try:
                        output = subprocess.check_output(
                                [sys.executable, "-c",
                                 "import os; print(os.getgid())"],
-                            group=group)
+                                group=group,
-                except OSError as e:
+                                close_fds=close_fds)
-                    if e.errno != errno.EPERM:
+                    except PermissionError:  # (EACCES, EPERM)
-                        raise
+                        pass
                    else:
                        if isinstance(group, str):
                            group_gid = grp.getgrnam(group).gr_gid