Drop Root Capabilities

A simple crate to drop "root" user capabilities on Linux.

On Linux, the "root" user (UID 0) has some special capabilities that "regular" users do not normally have. This can result in weird behavior, e.g., if unit tests (or integration tests) are executed in the context of the "root" user, as Docker® containers do by default! For example, a file that should not be accessible (according to its access permissions) may suddenly become accessible – because the "root" user has the CAP_DAC_OVERRIDE capability, which allows the "root" user to access the file regardless of the access permissions. As a result, a test case that expects File::open() to return a "permission denied" error (and rightfully so!) will suddenly start to fail 😨

This crate uses the Linux syscall prctl() with argument PR_CAPBSET_DROP to drop the "root"-specific capabilities at application startup and thus restores the expected behavior. It does nothing on other platforms.

Usage

Add the following to your Cargo.toml file:

[dev-dependencies]
drop-root-caps = "1.2.1"

You probably do not want to add this crate to your [dependencies], only to the [dev-dependencies] 💡

Also, you must add the following code to your test module(s), as otherwise the Rust compiler optimizes away the drop-root-caps dependency 😬

#[used]
static DROP_ROOT_CAPS: () = drop_root_caps::set_up();

License

This software is released under the BSD Zero Clause (“0BSD”) License.

Copyright (C) 2025 by LoRd_MuldeR <mulder2@gmx.de>.