Fix tests

client/ssh/server/executor_unix_test.go

@@ -17,6 +17,9 @@ import (
 func TestPrivilegeDropper_ValidatePrivileges(t *testing.T) {
 	pd := NewPrivilegeDropper()
 
+	currentUID := uint32(os.Geteuid())
+	currentGID := uint32(os.Getegid())
+
 	tests := []struct {
 		name    string
 		uid     uint32
@@ -24,33 +27,41 @@ func TestPrivilegeDropper_ValidatePrivileges(t *testing.T) {
 		wantErr bool
 	}{
 		{
-			name:    "valid non-root user",
+			name:    "same user - no privilege drop needed",
+			uid:     currentUID,
+			gid:     currentGID,
+			wantErr: false,
+		},
+		{
+			name:    "non-root to different user should fail",
+			uid:     currentUID + 1,  // Use a different UID to ensure it's actually different
+			gid:     currentGID + 1,  // Use a different GID to ensure it's actually different
+			wantErr: currentUID != 0, // Only fail if current user is not root
+		},
+		{
+			name:    "root can drop to any user",
 			uid:     1000,
 			gid:     1000,
 			wantErr: false,
 		},
 		{
-			name:    "root UID should be rejected",
-			uid:     0,
-			gid:     1000,
-			wantErr: true,
-		},
-		{
-			name:    "root GID should be rejected",
-			uid:     1000,
-			gid:     0,
-			wantErr: true,
-		},
-		{
-			name:    "both root should be rejected",
+			name:    "root can stay as root",
 			uid:     0,
 			gid:     0,
-			wantErr: true,
+			wantErr: false,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			// Skip non-root tests when running as root, and root tests when not root
+			if tt.name == "non-root to different user should fail" && currentUID == 0 {
+				t.Skip("Skipping non-root test when running as root")
+			}
+			if (tt.name == "root can drop to any user" || tt.name == "root can stay as root") && currentUID != 0 {
+				t.Skip("Skipping root test when not running as root")
+			}
+
 			err := pd.validatePrivileges(tt.uid, tt.gid)
 			if tt.wantErr {
 				assert.Error(t, err)
@@ -204,18 +215,35 @@ func findNonRootUser() (*user.User, error) {
 
 func TestPrivilegeDropper_ExecuteWithPrivilegeDrop_Validation(t *testing.T) {
 	pd := NewPrivilegeDropper()
+	currentUID := uint32(os.Geteuid())
 
-	// Test validation of root privileges - this should be caught in CreateExecutorCommand
-	config := ExecutorConfig{
-		UID:        0, // Root UID should be rejected
-		GID:        1000,
-		Groups:     []uint32{1000},
-		WorkingDir: "/tmp",
-		Shell:      "/bin/sh",
-		Command:    "echo test",
+	if currentUID == 0 {
+		// When running as root, test that root can create commands for any user
+		config := ExecutorConfig{
+			UID:        1000, // Target non-root user
+			GID:        1000,
+			Groups:     []uint32{1000},
+			WorkingDir: "/tmp",
+			Shell:      "/bin/sh",
+			Command:    "echo test",
+		}
+
+		cmd, err := pd.CreateExecutorCommand(context.Background(), config)
+		assert.NoError(t, err, "Root should be able to create commands for any user")
+		assert.NotNil(t, cmd)
+	} else {
+		// When running as non-root, test that we can't drop to a different user
+		config := ExecutorConfig{
+			UID:        0, // Try to target root
+			GID:        0,
+			Groups:     []uint32{0},
+			WorkingDir: "/tmp",
+			Shell:      "/bin/sh",
+			Command:    "echo test",
+		}
+
+		_, err := pd.CreateExecutorCommand(context.Background(), config)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot drop privileges")
 	}
-
-	_, err := pd.CreateExecutorCommand(context.Background(), config)
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "root user")
 }