Fix review issues

DiegoTavares · DiegoTavares · commit 2048dff467ea · 2026-06-10T10:25:15.000-07:00
diff --git a/rust/crates/rqd/src/frame/logging.rs b/rust/crates/rqd/src/frame/logging.rs
@@ -570,17 +570,20 @@ mod tests {
     #[cfg(any(target_os = "linux", target_os = "macos"))]
     #[test]
     fn test_init_into_unwritable_dir_reports_failing_op() {
-        // root bypasses DAC, so the unwritable-dir scenario can't be reproduced there.
-        // SAFETY: geteuid is an always-successful syscall with no preconditions.
-        if unsafe { nix::libc::geteuid() } == 0 {
-            return;
-        }
-
         let dir = tempfile::tempdir().unwrap();
         let locked = dir.path().join("locked");
         fs::create_dir(&locked).unwrap();
         fs::set_permissions(&locked, Permissions::from_mode(0o000)).unwrap();
 
+        // If this process can still create files in the locked dir (running as root, or
+        // holding CAP_DAC_OVERRIDE), the unwritable-dir scenario can't be reproduced.
+        let probe = locked.join(".probe");
+        if File::create(&probe).is_ok() {
+            let _ = fs::remove_file(&probe);
+            let _ = fs::set_permissions(&locked, Permissions::from_mode(0o755));
+            return;
+        }
+
         let log_path = locked.join("frame.rqlog");
         let result = FrameFileLogger::init(log_path.to_string_lossy().to_string(), false, None);
 
diff --git a/rust/crates/rqd/src/system/capabilities.rs b/rust/crates/rqd/src/system/capabilities.rs
@@ -54,12 +54,9 @@ mod imp {
             return Ok(());
         }
 
-        // root holds the full capability set implicitly, so there is nothing to verify.
-        // SAFETY: geteuid is an always-successful syscall with no preconditions.
-        if unsafe { nix::libc::geteuid() } == 0 {
-            return Ok(());
-        }
-
+        // Validate the effective set even when running as root: in containers and user
+        // namespaces a uid-0 process can have a reduced CapEff and would otherwise fail
+        // at frame launch instead of here.
         let caps = effective_caps().ok_or_else(|| {
             miette!(
                 "runner.run_as_user is enabled but RQD could not read its effective \
