From 2e3e32dfce0250a9c22ba7514cb38026de333e3f Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 May 2026 08:01:11 +1000
Subject: [PATCH 1/8] testsuite: verify --fuzzy actually selects a basis

Both fuzzy tests asserted only that the final file content matched, which a
full transfer that ignored --fuzzy would also satisfy -- so a broken fuzzy
basis selection would pass undetected. Drive rsync directly with --debug=FUZZY
and assert the generator reports the expected basis ("fuzzy basis selected
for <f>: <basis>", generator.c find_fuzzy): rsync2.c for fuzzy, and the
closest-named candidate archive-v1.tar for fuzzy-basis. fuzzy switches from
checkit() to a manual run plus verify_dirs() so the output can be captured.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 testsuite/fuzzy-basis_test.py | 12 ++++++++++--
 testsuite/fuzzy_test.py       | 18 +++++++++++++++---
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/testsuite/fuzzy-basis_test.py b/testsuite/fuzzy-basis_test.py
index 77889439b..d91a3b9ed 100644
--- a/testsuite/fuzzy-basis_test.py
+++ b/testsuite/fuzzy-basis_test.py
@@ -11,7 +11,7 @@
 
 from rsyncfns import (
     FROMDIR, TODIR,
-    assert_same, make_data_file, makepath, rmtree, run_rsync,
+    assert_same, make_data_file, makepath, rmtree, run_rsync, test_fail,
 )
 
 src = FROMDIR
@@ -31,7 +31,15 @@
 (TODIR / deepdir / 'archive-old.tar').write_bytes(base[:200_000])
 (TODIR / deepdir / 'unrelated.dat').write_bytes(b'nothing alike' * 1000)
 
-run_rsync('-a', '--fuzzy', '--no-whole-file', f'{src}/', f'{TODIR}/')
+# Capture --debug=FUZZY: a correct final file alone would also result from a
+# full transfer that ignored --fuzzy, so assert the scorer actually chose the
+# closest-named candidate (archive-v1.tar) as the basis, not just that bytes match.
+proc = run_rsync('-a', '--fuzzy', '--no-whole-file', '--debug=FUZZY',
+                 f'{src}/', f'{TODIR}/', capture_output=True)
+want = f'fuzzy basis selected for {newfile}: {os.path.join(deepdir, "archive-v1.tar")}'
+if want not in proc.stdout:
+    test_fail(f"--fuzzy did not score archive-v1.tar as the closest basis; "
+              f"expected {want!r}, --debug=FUZZY output was:\n{proc.stdout}")
 assert_same(TODIR / newfile, src / newfile, label='fuzzy result')
 
 print("fuzzy-basis: --fuzzy candidate scoring (fuzzy_distance) verified at depth")
diff --git a/testsuite/fuzzy_test.py b/testsuite/fuzzy_test.py
index 7858fcc26..03c57301b 100644
--- a/testsuite/fuzzy_test.py
+++ b/testsuite/fuzzy_test.py
@@ -8,7 +8,9 @@
 
 import time
 
-from rsyncfns import FROMDIR, SRCDIR, TODIR, checkit, cp_p, cp_touch
+from rsyncfns import (
+    FROMDIR, SRCDIR, TODIR, cp_p, cp_touch, run_rsync, test_fail, verify_dirs,
+)
 
 
 FROMDIR.mkdir(parents=True, exist_ok=True)
@@ -18,5 +20,15 @@
 cp_touch(FROMDIR / 'rsync.c', TODIR / 'rsync2.c')
 time.sleep(1)
 
-checkit(['-avvi', '--no-whole-file', '--fuzzy', '--delete-delay',
-         f'{FROMDIR}/', f'{TODIR}/'], FROMDIR, TODIR)
+# Drive rsync directly (rather than checkit) so we can capture --debug=FUZZY:
+# a final tree match alone would also be produced by a full transfer that
+# ignored --fuzzy, so assert the generator actually picked rsync2.c as the
+# fuzzy basis for rsync.c (generator.c find_fuzzy / "fuzzy basis selected").
+proc = run_rsync('-avvi', '--no-whole-file', '--fuzzy', '--delete-delay',
+                 '--debug=FUZZY', f'{FROMDIR}/', f'{TODIR}/',
+                 capture_output=True)
+if 'fuzzy basis selected for rsync.c: rsync2.c' not in proc.stdout:
+    test_fail("--fuzzy did not select rsync2.c as the basis for rsync.c; "
+              f"--debug=FUZZY output was:\n{proc.stdout}")
+# ...and --delete-delay still removes the stale basis, leaving TODIR == FROMDIR.
+verify_dirs(FROMDIR, TODIR)

From 8554d4f8ba79fe467074c3f4543dc3b6148bd605 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 May 2026 08:02:41 +1000
Subject: [PATCH 2/8] testsuite: verify the negotiated compressor/checksum
 selection

compress-options only checked that each requested algorithm yielded
byte-identical output, which proves parsing/non-corruption but not that the
advertised algorithm was actually used -- the test would pass if the choice
were silently ignored. Capture --debug=NSTR (compat.c / checksum.c) and assert
the selected compressor, compress level, and checksum match the request
(anchored so zlib != zlibx). --skip-compress / --checksum-seed stay content
checks: they have no comparable negotiation-string signal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 testsuite/compress-options_test.py | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/testsuite/compress-options_test.py b/testsuite/compress-options_test.py
index 74e087712..c11741e67 100644
--- a/testsuite/compress-options_test.py
+++ b/testsuite/compress-options_test.py
@@ -9,10 +9,11 @@
 """
 
 import json
+import re
 
 from rsyncfns import (
     FROMDIR, TODIR,
-    assert_same, make_tree, rmtree, run_rsync, walk_files,
+    assert_same, make_tree, rmtree, run_rsync, test_fail, walk_files,
 )
 
 src = FROMDIR
@@ -34,14 +35,25 @@ def verify(rels, label):
 
 
 # --- --compress-choice for every advertised compressor ----------------------
+# Byte-identical output alone proves only that the option didn't corrupt data;
+# assert via --debug=NSTR (compat.c) that the requested compressor was actually
+# selected for the transfer. The trailing " (level" anchors so zlib != zlibx.
 for algo in compressors:
     rels = fresh()
-    run_rsync('-az', f'--compress-choice={algo}', f'{src}/', f'{TODIR}/')
+    proc = run_rsync('-az', f'--compress-choice={algo}', '--debug=NSTR',
+                     f'{src}/', f'{TODIR}/', capture_output=True)
+    if not re.search(rf'compress: {re.escape(algo)} \(level', proc.stdout):
+        test_fail(f"--compress-choice={algo} was not the selected compressor; "
+                  f"--debug=NSTR output:\n{proc.stdout}")
     verify(rels, f'--compress-choice={algo}')
 
-# --- --compress-level -------------------------------------------------------
+# --- --compress-level (the requested level reaches the compressor) ----------
 rels = fresh()
-run_rsync('-az', '--compress-level=9', f'{src}/', f'{TODIR}/')
+proc = run_rsync('-az', '--compress-level=9', '--debug=NSTR',
+                 f'{src}/', f'{TODIR}/', capture_output=True)
+if not re.search(r'compress: \S+ \(level 9\)', proc.stdout):
+    test_fail("--compress-level=9 was not applied; "
+              f"--debug=NSTR output:\n{proc.stdout}")
 verify(rels, '--compress-level=9')
 
 # --- --skip-compress (the file must still arrive intact) --------------------
@@ -52,9 +64,15 @@ def verify(rels, label):
             label='--skip-compress gz')
 
 # --- --checksum-choice for every advertised checksum ------------------------
+# As above: assert via --debug=NSTR (checksum.c) that the requested checksum was
+# the one negotiated, not merely that the transfer succeeded.
 for algo in checksums:
     rels = fresh()
-    run_rsync('-a', '-c', f'--checksum-choice={algo}', f'{src}/', f'{TODIR}/')
+    proc = run_rsync('-a', '-c', f'--checksum-choice={algo}', '--debug=NSTR',
+                     f'{src}/', f'{TODIR}/', capture_output=True)
+    if not re.search(rf'checksum: {re.escape(algo)}\b', proc.stdout):
+        test_fail(f"--checksum-choice={algo} was not the selected checksum; "
+                  f"--debug=NSTR output:\n{proc.stdout}")
     verify(rels, f'--checksum-choice={algo}')
 
 # --- --checksum-seed --------------------------------------------------------

From e9894fec3d9a2bc61283580338926f3f3aa0c289 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 May 2026 08:04:56 +1000
Subject: [PATCH 3/8] testsuite: harden output-options checks

Several subcases ran rsync without checking the exit status, so a silent
failure could pass as the expected (often empty) output -- most notably -q,
which only asserted empty stdout. Route every expected-success run through a
helper that asserts the exit status, and verify -q actually transferred the
tree. Replace the "-h/-8 didn't break the transfer" check with positive format
assertions: -h must render byte counts with a K/M/G suffix (and the default
must not), and -8 must leave a high-bit filename byte unescaped (\#371 absent)
where the default escapes it -- best-effort, self-skipping where the platform
can't store the raw byte.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 testsuite/output-options_test.py | 74 ++++++++++++++++++++++++++++----
 1 file changed, 65 insertions(+), 9 deletions(-)

diff --git a/testsuite/output-options_test.py b/testsuite/output-options_test.py
index 3a836e1cd..1d57c086a 100644
--- a/testsuite/output-options_test.py
+++ b/testsuite/output-options_test.py
@@ -5,25 +5,40 @@
 checked for the documented output shape rather than at depth:
   --version, --help, --itemize-changes (-i), --dry-run (-n), --stats,
   --out-format, --list-only, --quiet (-q), --progress, -h, -8.
+
+Every rsync run that is expected to succeed has its exit status checked (a
+silent failure must not pass as "no output"), and the format-changing options
+(-h, -8) assert the documented difference rather than merely "didn't break".
 """
 
+import os
+import re
 import subprocess
 
 from rsyncfns import (
     FROMDIR, TODIR,
-    assert_not_exists, make_tree, rmtree, rsync_argv, test_fail,
+    assert_not_exists, make_data_file, make_tree, makepath, rmtree, rsync_argv,
+    test_fail, verify_dirs,
 )
 
 src = FROMDIR
 
 
-def out(*args):
-    return subprocess.run(rsync_argv(*args), capture_output=True, text=True)
+def out(*args, want_rc=0, env=None, text=True):
+    """Run rsync capturing output. Unless want_rc is None, fail the test if the
+    exit status isn't want_rc -- so a broken transfer can't masquerade as the
+    expected (often empty) output."""
+    p = subprocess.run(rsync_argv(*args), capture_output=True, text=text, env=env)
+    if want_rc is not None and p.returncode != want_rc:
+        err = p.stderr if text else p.stderr.decode('latin-1', 'replace')
+        test_fail(f"rsync {' '.join(args)} exited {p.returncode}, "
+                  f"expected {want_rc}:\n{err}")
+    return p
 
 
 # --- --version / --help -----------------------------------------------------
 p = out('--version')
-if p.returncode != 0 or 'protocol version' not in p.stdout:
+if 'protocol version' not in p.stdout:
     test_fail(f"--version output unexpected:\n{p.stdout}")
 p = out('--help')
 help_txt = p.stdout + p.stderr
@@ -68,11 +83,14 @@ def out(*args):
     test_fail(f"--list-only did not list files:\n{p.stdout}")
 assert_not_exists(TODIR / 'f0', label='--list-only copied a file')
 
-# --- --quiet suppresses normal stdout ---------------------------------------
+# --- --quiet suppresses normal stdout BUT still transfers -------------------
+# Checking only for empty stdout would also pass if the transfer silently
+# failed, so confirm the destination actually received the tree.
 rmtree(TODIR)
 p = out('-a', '-q', f'{src}/', f'{TODIR}/')
 if p.stdout.strip() != '':
     test_fail(f"--quiet produced stdout: {p.stdout!r}")
+verify_dirs(src, TODIR, label='--quiet still transferred')
 
 # --- --progress shows a percentage ------------------------------------------
 rmtree(TODIR)
@@ -80,11 +98,49 @@ def out(*args):
 if '100%' not in p.stdout:
     test_fail(f"--progress did not show a percentage:\n{p.stdout}")
 
-# --- -h / -8 do not break a transfer ----------------------------------------
+# --- -h / --human-readable formats byte counts with a unit suffix -----------
+# Without -h, --stats prints grouped digits ("50,000 bytes"); with -h it uses a
+# K/M/G suffix ("50.00K"). Use a file big enough that the two forms differ.
+rmtree(src)
+rmtree(TODIR)
+makepath(src)
+make_data_file(src / 'big', 50_000)
+plain = out('-a', '--stats', f'{src}/', f'{TODIR}/').stdout
+rmtree(TODIR)
+human = out('-a', '-h', '--stats', f'{src}/', f'{TODIR}/').stdout
+suffix_re = r'Total file size: [\d.]+[KMG]'
+if not re.search(suffix_re, human):
+    test_fail(f"-h did not use a human-readable unit suffix:\n{human}")
+if re.search(suffix_re, plain):
+    test_fail(f"--stats without -h unexpectedly used a unit suffix:\n{plain}")
+
+# --- -8 / --8-bit-output leaves high-bit filename bytes unescaped ------------
+# rsync escapes non-printable name bytes as \#NNN; -8 prints 8-bit bytes raw.
+# This needs a filename containing a high-bit byte and a C locale (where such a
+# byte is non-printable). Best-effort: skip silently where the filesystem can't
+# store the raw byte (macOS/Cygwin may reject or normalise it).
+rmtree(src)
 rmtree(TODIR)
-p = out('-a', '-h', '-8', '--stats', f'{src}/', f'{TODIR}/')
-if p.returncode != 0:
-    test_fail(f"-h/-8 broke the transfer:\n{p.stderr}")
+makepath(src)
+weird = os.fsencode(str(src)) + b'/hi\xf9name'   # 0xf9 -> octal 371
+try:
+    with open(weird, 'wb') as f:
+        f.write(b"x\n")
+    weird_ok = True
+except OSError:
+    weird_ok = False
+
+if weird_ok:
+    cenv = dict(os.environ, LC_ALL='C')
+    makepath(TODIR)
+    noesc = out('-ai', f'{src}/', f'{TODIR}/', env=cenv, text=False)
+    if rb'\#371' in noesc.stdout:        # FS preserved the raw byte as expected
+        rmtree(TODIR)
+        makepath(TODIR)
+        esc = out('-ai', '-8', f'{src}/', f'{TODIR}/', env=cenv, text=False)
+        if rb'\#371' in esc.stdout:
+            test_fail("-8 should leave the high-bit name byte unescaped, but "
+                      f"the \\#371 escape was still present:\n{esc.stdout!r}")
 
 print("output-options: version/help/-i/-n/--stats/--out-format/--list-only/"
       "-q/--progress/-h/-8 verified")

From 3b0d3d20f103db901fcf8483949f5ee59dd20d62 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 May 2026 08:08:42 +1000
Subject: [PATCH 4/8] testsuite: add positive controls to the symlink-race
 security tests

The symlink-race tests only asserted that an outside sentinel was unchanged or
unlisted while ignoring rsync's exit status, so an attack transfer/listing that
failed before reaching the vulnerable receiver/sender path would pass without
the security property ever being exercised. Add a positive control to each --
an ordinary in-module write (bare-do-open, chdir) or an in-module listing
(sender-flist-leak) that must succeed -- so a globally broken/refusing daemon
can no longer make the sentinel checks vacuous, and assert the attack run did
not die from a signal.

clean-fname-underflow now also enforces a non-zero exit: clean_fname()
collapses "a/../test" to "test", whose merge file is absent, so rsync must
reject it; accepting it (rc 0) would mean the crafted name was mis-collapsed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 testsuite/bare-do-open-symlink-race_test.py | 37 ++++++++++++++++++---
 testsuite/chdir-symlink-race_test.py        | 32 ++++++++++++++++--
 testsuite/clean-fname-underflow_test.py     | 11 ++++--
 testsuite/sender-flist-symlink-leak_test.py | 19 +++++++++++
 4 files changed, 89 insertions(+), 10 deletions(-)

diff --git a/testsuite/bare-do-open-symlink-race_test.py b/testsuite/bare-do-open-symlink-race_test.py
index deff07314..6ad70a40d 100644
--- a/testsuite/bare-do-open-symlink-race_test.py
+++ b/testsuite/bare-do-open-symlink-race_test.py
@@ -92,10 +92,31 @@ def verify_outside_unchanged_or_absent(label: str, target: str) -> None:
 
 
 def run_attack(args):
-    subprocess.run(
+    """Run the (expected-to-be-contained) attack transfer and return its exit
+    code; output is discarded since the security assertion is on the filesystem."""
+    return subprocess.run(
         rsync_argv(*args),
         stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
-    )
+    ).returncode
+
+
+def positive_control():
+    """Confirm the upload module accepts an ordinary write. Without this, every
+    scenario below would also pass if the daemon refused (or failed) before the
+    vulnerable code ran -- the sentinel-unchanged check alone can't tell a
+    securely-contained attack from one that never reached the receiver path."""
+    for d in (mod, src):
+        rmtree(d)
+        d.mkdir(parents=True)
+    (src / 'legit.txt').write_text("LEGIT_IN_MODULE\n")
+    rc = run_attack(['-t', f'{src}/legit.txt', f'{daemon_url}/upload/legit.txt'])
+    if rc != 0 or not (mod / 'legit.txt').is_file() \
+            or (mod / 'legit.txt').read_text() != "LEGIT_IN_MODULE\n":
+        test_fail(f"positive control: upload module did not accept a normal "
+                  f"write (rc={rc}); attack scenarios would be vacuous")
+
+
+positive_control()
 
 
 # Scenario 3b: --inplace --backup --backup-dir=cd
@@ -105,10 +126,12 @@ def run_attack(args):
 (src / 'target.txt').write_text("NEW_DATA_FROM_SENDER\n")
 os.chmod(src / 'target.txt', 0o644)
 
-run_attack([
+rc = run_attack([
     '--inplace', '--backup', '--backup-dir=cd',
     f'{src}/target.txt', f'{daemon_url}/upload/target.txt',
 ])
+if rc >= 128:
+    test_fail(f"3b inplace+backup-dir=cd: rsync died from a signal (rc={rc})")
 verify_outside_unchanged("3b inplace+backup-dir=cd")
 
 
@@ -117,7 +140,9 @@ def run_attack(args):
 (src / 'cd').mkdir()
 os.symlink('/etc/passwd', src / 'cd' / 'sym')
 
-run_attack(['-rl', f'{src}/', f'{daemon_url}/upload_fake/'])
+rc = run_attack(['-rl', f'{src}/', f'{daemon_url}/upload_fake/'])
+if rc >= 128:
+    test_fail(f"3c-symlink: rsync died from a signal (rc={rc})")
 verify_outside_unchanged_or_absent("3c-symlink fake-super symlink push", "sym")
 
 
@@ -132,5 +157,7 @@ def run_attack(args):
 if not stat.S_ISFIFO((src / 'cd' / 'fifo').stat().st_mode):
     test_skipped("mkfifo unavailable; cannot exercise 3c-mknod")
 
-run_attack(['-rD', f'{src}/', f'{daemon_url}/upload_fake/'])
+rc = run_attack(['-rD', f'{src}/', f'{daemon_url}/upload_fake/'])
+if rc >= 128:
+    test_fail(f"3c-mknod: rsync died from a signal (rc={rc})")
 verify_outside_unchanged_or_absent("3c-mknod fake-super FIFO push", "fifo")
diff --git a/testsuite/chdir-symlink-race_test.py b/testsuite/chdir-symlink-race_test.py
index 80b314c04..623793c9f 100644
--- a/testsuite/chdir-symlink-race_test.py
+++ b/testsuite/chdir-symlink-race_test.py
@@ -87,13 +87,41 @@ def verify_unchanged(label: str) -> None:
 
 def run_attack(label: str, *args) -> None:
     reset_outside()
-    subprocess.run(
+    rc = subprocess.run(
         rsync_argv(*args),
         stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
-    )
+    ).returncode
+    if rc >= 128:
+        test_fail(f"{label}: rsync died from a signal (rc={rc})")
     verify_unchanged(label)
 
 
+def positive_control() -> None:
+    """Confirm the receiver writes into an ordinary in-module subdirectory, so
+    the symlink-escape scenarios below genuinely exercise the chdir path rather
+    than passing because the daemon refused (or failed) before reaching it."""
+    real = mod / 'realdir'
+    rmtree(real)
+    real.mkdir()
+    # When this test runs as root the daemon serves as 'nobody' (the module
+    # sets no uid), so make the control target world-writable; push a single
+    # file with no attribute preservation so the write never needs to own/chmod
+    # the dir -- it should land purely on the receiver's normal write path.
+    os.chmod(real, 0o777)
+    rc = subprocess.run(
+        rsync_argv(f'{src}/subdir/target.txt', f'{url}upload/realdir/'),
+        stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
+    ).returncode
+    landed = real / 'target.txt'
+    if rc != 0 or not landed.is_file() \
+            or not filecmp.cmp(landed, src / 'subdir' / 'target.txt', shallow=False):
+        test_fail(f"positive control: receiver did not write into an ordinary "
+                  f"in-module subdir (rc={rc}); attack scenarios would be vacuous")
+
+
+positive_control()
+
+
 # 1. Single file with --size-only -- receiver normally skips basis open and
 # goes straight to chmod; only the chdir-escape blocks it.
 run_attack("single-file --size-only",
diff --git a/testsuite/clean-fname-underflow_test.py b/testsuite/clean-fname-underflow_test.py
index 4b30155ce..638bf3ae4 100644
--- a/testsuite/clean-fname-underflow_test.py
+++ b/testsuite/clean-fname-underflow_test.py
@@ -3,8 +3,10 @@
 #
 # Ensure clean_fname() does not read-before-buffer when collapsing "..".
 # Exercises the --server path where a crafted merge filename hits
-# clean_fname(); a non-zero exit is expected (the input is bogus), but
-# the test fails if rsync dies from a signal (status >= 128).
+# clean_fname(); the test fails if rsync dies from a signal (status >= 128)
+# AND if rsync exits 0 -- the bogus input must be rejected (clean_fname
+# collapses "a/../test" to "test", whose merge file does not exist, so rsync
+# errors out non-zero). Accepting it would mean the name was mis-collapsed.
 
 import os
 import shlex
@@ -29,5 +31,8 @@
 
 if proc.returncode >= 128:
     test_fail(f"rsync exited due to a signal (status={proc.returncode})")
+if proc.returncode == 0:
+    test_fail("rsync accepted the bogus 'a/../test' merge filter (expected a "
+              "non-zero rejection); clean_fname() may have mis-collapsed it")
 
-print("OK: clean_fname() handled 'a/../test' without crashing")
+print("OK: clean_fname() handled 'a/../test' without crashing, and rejected it")
diff --git a/testsuite/sender-flist-symlink-leak_test.py b/testsuite/sender-flist-symlink-leak_test.py
index 67fc2f11b..97c1f602b 100644
--- a/testsuite/sender-flist-symlink-leak_test.py
+++ b/testsuite/sender-flist-symlink-leak_test.py
@@ -49,6 +49,11 @@
 
 os.symlink(str(outside), mod / 'cd')
 
+# A legitimate in-module file, used as a positive control so the leak check
+# below can't pass simply because the daemon's listing machinery is broken.
+(mod / 'realdir').mkdir()
+(mod / 'realdir' / 'in_module.txt').write_text("INSIDE_THE_MODULE\n")
+
 my_uid = get_testuid()
 root_uid = get_rootuid()
 root_gid = get_rootgid()
@@ -71,10 +76,24 @@
 
 url = start_test_daemon(conf, DAEMON_PORT)
 
+# Positive control: a normal recursive listing of an in-module path must
+# enumerate the in-module file. If this fails, the daemon's flist generation is
+# broken and the leak check below would be vacuously satisfied.
+ctl = subprocess.run(
+    rsync_argv('-nrv', f'{url}upload/realdir/', f'{SCRATCHDIR}/dst/'),
+    capture_output=True, text=True,
+)
+if ctl.returncode != 0 or 'in_module.txt' not in ctl.stdout:
+    test_fail("positive control: listing an in-module path did not enumerate "
+              f"in_module.txt (rc={ctl.returncode}); leak check would be vacuous"
+              f"\n{ctl.stdout}{ctl.stderr}")
+
 proc = subprocess.run(
     rsync_argv('-nrv', f'{url}upload/cd/', f'{SCRATCHDIR}/dst/'),
     capture_output=True, text=True,
 )
+if proc.returncode >= 128:
+    test_fail(f"leak pull: rsync died from a signal (rc={proc.returncode})")
 listfile.write_text(proc.stdout + proc.stderr)
 
 if 'leak_marker.txt' in listfile.read_text():

From b187332583e816dd087bcc499c0ecc6d55215aac Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 May 2026 08:12:03 +1000
Subject: [PATCH 5/8] testsuite: verify destination content/listings in daemon
 tests

These daemon tests confirmed refusals/exclusions but accepted the allowed
transfers on exit status alone, so a transfer that exited cleanly while moving
nothing would pass:

  daemon-refuse  allowed() imported verify_dirs but never called it; now it
                 confirms the allowed push/pull actually populated the dest.
  daemon-filter  pull()/the incoming push ignored their exit status, and the
                 outgoing-chmod loop iterated only files that exist -- a
                 zero-file pull passed vacuously. Check the codes and require
                 at least one file to have been mode-checked.
  daemon         run_and_check's unused `expected` param is dropped; the
                 hidden-module and glob listings now compare the exact set of
                 listed paths (catching a leaked extra path), replacing the
                 per-path containment check and the dead normalise() helper
                 whose regex never matched the -r listing format anyway.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 testsuite/daemon-filter_test.py | 22 ++++++--
 testsuite/daemon-refuse_test.py | 11 ++--
 testsuite/daemon_test.py        | 92 ++++++++++++++-------------------
 3 files changed, 64 insertions(+), 61 deletions(-)

diff --git a/testsuite/daemon-filter_test.py b/testsuite/daemon-filter_test.py
index cac387e8b..59566068c 100644
--- a/testsuite/daemon-filter_test.py
+++ b/testsuite/daemon-filter_test.py
@@ -40,8 +40,11 @@
 def pull(mod, dest):
     rmtree(dest)
     makepath(dest)
-    subprocess.run(rsync_argv('-a', f'{url}{mod}/', f'{dest}/'),
-                   stdout=subprocess.DEVNULL)
+    proc = subprocess.run(rsync_argv('-a', f'{url}{mod}/', f'{dest}/'),
+                          stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
+                          text=True)
+    if proc.returncode not in (0, 23):
+        test_fail(f"pull from {mod} failed (rc={proc.returncode}): {proc.stderr}")
 
 
 # --- daemon exclude hides *.secret everywhere in the module -----------------
@@ -53,8 +56,11 @@ def pull(mod, dest):
             label='daemon exclude kept others')
 
 # --- incoming chmod rewrites pushed file modes at depth ---------------------
-subprocess.run(rsync_argv('-a', f'{src}/', f'{url}inc/'),
-               stdout=subprocess.DEVNULL)
+proc = subprocess.run(rsync_argv('-a', f'{src}/', f'{url}inc/'),
+                      stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
+                      text=True)
+if proc.returncode not in (0, 23):
+    test_fail(f"incoming push failed (rc={proc.returncode}): {proc.stderr}")
 checked = 0
 for rel in rels:
     p = incdir / rel
@@ -67,10 +73,16 @@ def pull(mod, dest):
 # --- outgoing chmod rewrites pulled file modes at depth ---------------------
 op = SCRATCHDIR / 'outpull'
 pull('out', op)
+checked = 0
 for rel in rels:
     p = op / rel
-    if p.is_file() and (os.stat(p).st_mode & 0o044):
+    if not p.is_file():
+        continue
+    checked += 1
+    if os.stat(p).st_mode & 0o044:
         test_fail(f"outgoing chmod did not clear group/other read on {rel}: "
                   f"{oct(os.stat(p).st_mode & 0o777)}")
+if checked == 0:
+    test_fail("outgoing chmod test pulled no files (loop was vacuous)")
 
 print("daemon-filter: exclude / incoming chmod / outgoing chmod verified at depth")
diff --git a/testsuite/daemon-refuse_test.py b/testsuite/daemon-refuse_test.py
index 770b36ba9..054f28099 100644
--- a/testsuite/daemon-refuse_test.py
+++ b/testsuite/daemon-refuse_test.py
@@ -44,19 +44,23 @@ def refused(args, what):
     return proc.stderr
 
 
-def allowed(args, what):
+def allowed(args, what, expected=None, actual=None):
     proc = subprocess.run(rsync_argv(*args),
                           stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
                           text=True)
     if proc.returncode not in (0, 23):
         test_fail(f"{what} was unexpectedly refused: {proc.stderr}")
+    # A 0/23 exit alone doesn't prove the transfer happened; verify the data
+    # actually landed for the allowed cases.
+    if expected is not None:
+        verify_dirs(expected, actual, label=what)
 
 
 # --- a named refused option (delete) ----------------------------------------
 refused(['-a', '--delete', f'{src}/', f'{url}refuse-delete/'],
         "--delete on a refuse=delete module")
 allowed(['-a', f'{src}/', f'{url}refuse-delete/'],
-        "plain push to a refuse=delete module")
+        "plain push to a refuse=delete module", src, deldir)
 
 # --- a wildcard refused option (checksum*) ----------------------------------
 dest = SCRATCHDIR / 'wilddest'
@@ -67,7 +71,8 @@ def allowed(args, what):
 # --- the "* !a !v" allow-list: -av allowed, -z refused ----------------------
 rmtree(dest)
 makepath(dest)
-allowed(['-av', f'{url}only-av/', f'{dest}/'], "-av on an allow-list module")
+allowed(['-av', f'{url}only-av/', f'{dest}/'], "-av on an allow-list module",
+        src, dest)
 refused(['-avz', f'{url}only-av/', f'{dest}/'],
         "-z on an allow-list module")
 
diff --git a/testsuite/daemon_test.py b/testsuite/daemon_test.py
index 9643e941d..4e022fa5c 100644
--- a/testsuite/daemon_test.py
+++ b/testsuite/daemon_test.py
@@ -7,7 +7,6 @@
 # by using RSYNC_CONNECT_PROG to spawn the daemon as a child of rsync.
 
 import os
-import re
 import subprocess
 
 from rsyncfns import (
@@ -22,20 +21,21 @@
 
 SSH = f"{SRCDIR / 'support' / 'lsh.sh'} --no-cd"
 
-# Replacements that hide the variable parts of `rsync -r` listings: tabs/
-# columns for file vs directory, and the date/time stamp.
-_FILE_RE = re.compile(r'^([^d][^ ]*) *(\.{10}[0-9]) ', flags=re.MULTILINE)
-_DIR_RE = re.compile(r'^(d[^ ]*)  *[0-9][.,0-9]* ', flags=re.MULTILINE)
-_LS_RE = re.compile(
-    r'[0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}'
-)
-
 
-def normalise(text: str) -> str:
-    out = _FILE_RE.sub(r'\1 \2 ', text)
-    out = _DIR_RE.sub(r'\1         DIR ', out)
-    out = _LS_RE.sub('####/##/## ##:##:##', out)
-    return out
+def listed_paths(text: str) -> set:
+    """The set of path names in an `rsync -r` listing. Each listing line is
+    "<mode> <size> <date> <time> <path>"; pull out the trailing path. Comparing
+    the whole set (not just checking individual paths are present) catches a
+    listing that leaks EXTRA paths, not only one that omits expected ones."""
+    paths = set()
+    for line in text.splitlines():
+        parts = line.split()
+        # A listing line starts with a 10-char mode string and ends with the
+        # path; -U adds extra date columns, so take the last token (the test's
+        # paths contain no spaces).
+        if len(parts) >= 5 and len(parts[0]) == 10 and parts[0][0] in '-dlbcps':
+            paths.add(parts[-1])
+    return paths
 
 
 conf = build_rsyncd_conf()
@@ -62,7 +62,7 @@ def normalise(text: str) -> str:
 )
 
 
-def run_and_check(args, expected, label, capture_stderr=False):
+def run_and_check(args, label, capture_stderr=False):
     proc = subprocess.run(
         rsync_argv(*args),
         capture_output=True, text=True,
@@ -81,7 +81,7 @@ def run_and_check(args, expected, label, capture_stderr=False):
 rsync_path = f"{RSYNC}{(' ' + ' '.join(confopt)) if confopt else ''}"
 out = run_and_check(
     ['-ve', SSH, f'--rsync-path={rsync_path}', 'localhost::'],
-    expected_modules, "module list via lsh.sh",
+    "module list via lsh.sh",
 )
 if expected_modules not in out:
     test_fail("module list via lsh.sh did not contain the expected modules")
@@ -95,7 +95,7 @@ def run_and_check(args, expected, label, capture_stderr=False):
 # loopback rsyncd under --use-tcp).
 daemon_url = start_test_daemon(conf, DAEMON_PORT).rstrip('/')
 
-out = run_and_check(['-v', f'{daemon_url}/'], expected_modules, "module list via daemon")
+out = run_and_check(['-v', f'{daemon_url}/'], "module list via daemon")
 if expected_modules not in out:
     test_fail("module list via daemon did not contain the expected modules")
 # test-hidden is `list = no`; it must NOT appear in the module listing.
@@ -104,43 +104,29 @@ def run_and_check(args, expected, label, capture_stderr=False):
     test_fail("module list via daemon leaked the `list = no` test-hidden module")
 print('====')
 
-# test-hidden: a recursive listing of the module, with file/dir/date
-# columns normalised so the diff is content-only.
-out = run_and_check(['-r', f'{daemon_url}/test-hidden'], "", "test-hidden listing")
-normalised = normalise(out)
-expected_hidden = """\
-drwxr-xr-x         DIR ####/##/## ##:##:## .
-drwxr-xr-x         DIR ####/##/## ##:##:## bar
--rw-r--r-- ........1 ####/##/## ##:##:## bar/two
-drwxr-xr-x         DIR ####/##/## ##:##:## bar/baz
--rw-r--r-- ........1 ####/##/## ##:##:## bar/baz/three
-drwxr-xr-x         DIR ####/##/## ##:##:## foo
--rw-r--r-- ........1 ####/##/## ##:##:## foo/one
-"""
-# The exact byte sizes vary by locale ("4" vs "          4"); just check that
-# every expected path appears in the normalised output.
-for path in ('bar', 'bar/two', 'bar/baz', 'bar/baz/three', 'foo', 'foo/one'):
-    if path not in normalised:
-        print(normalised)
-        test_fail(f"test-hidden listing missing path {path!r}")
-
-# test-from/f* glob: only the foo subtree.
-out = run_and_check(['-r', f'{daemon_url}/test-from/f*'], "", "test-from glob")
-normalised = normalise(out)
-for path in ('foo', 'foo/one'):
-    if path not in normalised:
-        print(normalised)
-        test_fail(f"test-from glob listing missing path {path!r}")
-if 'bar' in normalised:
-    print(normalised)
-    test_fail("test-from glob listing leaked the bar subtree")
+# test-hidden: a recursive listing of the whole module. Compare the exact set
+# of listed paths so an unexpected/leaked extra path is caught, not only a
+# missing one.
+out = run_and_check(['-r', f'{daemon_url}/test-hidden'], "test-hidden listing")
+got = listed_paths(out)
+want = {'.', 'bar', 'bar/two', 'bar/baz', 'bar/baz/three', 'foo', 'foo/one'}
+if got != want:
+    print(out)
+    test_fail(f"test-hidden listing paths {sorted(got)} != expected {sorted(want)}")
+
+# test-from/f* glob: only the foo subtree, nothing from bar.
+out = run_and_check(['-r', f'{daemon_url}/test-from/f*'], "test-from glob")
+got = listed_paths(out)
+want = {'foo', 'foo/one'}
+if got != want:
+    print(out)
+    test_fail(f"test-from glob paths {sorted(got)} != expected {sorted(want)}")
 
 # atimes-format variant -- only if rsync was built with atimes support.
 vv = run_rsync('-VV', check=True, capture_output=True)
 if '"atimes": true' in vv.stdout:
-    out = run_and_check(['-rU', f'{daemon_url}/test-from/f*'], "", "test-from glob with -U")
-    normalised = normalise(out)
-    for path in ('foo', 'foo/one'):
-        if path not in normalised:
-            print(normalised)
-            test_fail(f"-U glob listing missing path {path!r}")
+    out = run_and_check(['-rU', f'{daemon_url}/test-from/f*'], "test-from glob with -U")
+    got = listed_paths(out)
+    if got != want:
+        print(out)
+        test_fail(f"-U glob paths {sorted(got)} != expected {sorted(want)}")

From f23c02214f016c0cfa0513c71b91968c22faf9cf Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 May 2026 08:14:04 +1000
Subject: [PATCH 6/8] testsuite: add content and return-code assertions

Several tests proved only that rsync exited cleanly (or that a file merely
exists), so a no-op/short transfer would pass:

  protected-regular  compare the dst bytes to the source after --inplace.
  00-hello           re-assert one/two were copied on the RSYNC_OLD_ARGS=1
                     env-var path (the explicit --old-args case already did).
  missing            check the dry-run's exit status in test 1.
  mkpath             compare transferred bytes (not just existence) and add a
                     negative control: a transfer WITHOUT --mkpath must fail
                     and create no intermediate path.
  size-filter        compare each kept file's content to its source.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 testsuite/00-hello_test.py          |  5 +++++
 testsuite/missing_test.py           |  2 ++
 testsuite/mkpath_test.py            | 15 +++++++++++++--
 testsuite/protected-regular_test.py |  9 ++++++++-
 testsuite/size-filter_test.py       | 22 +++++++++++++---------
 5 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/testsuite/00-hello_test.py b/testsuite/00-hello_test.py
index 22b2e0e68..312f35394 100644
--- a/testsuite/00-hello_test.py
+++ b/testsuite/00-hello_test.py
@@ -97,3 +97,8 @@ def copy_weird(args: list, src_host: str, dst_host: str) -> None:
     )
 finally:
     os.chdir(saved)
+
+# check=True only proves a zero exit; confirm the env-var path actually copied
+# both files (as the explicit --old-args case above does).
+if not (TODIR / 'one').is_file() or not (TODIR / 'two').is_file():
+    test_fail("RSYNC_OLD_ARGS=1 copy of 'one two' failed")
diff --git a/testsuite/missing_test.py b/testsuite/missing_test.py
index 2d0a8ef9f..c0a600fe3 100644
--- a/testsuite/missing_test.py
+++ b/testsuite/missing_test.py
@@ -31,6 +31,8 @@ def run_capture(*args):
 out_path = TMPDIR / 'out1'
 proc = run_capture('-n', '-r', '--ignore-non-existing', '-vv',
                    f'{FROMDIR}/', f'{TODIR}/')
+if proc.returncode != 0:
+    test_fail(f"test 1 failed: dry-run errored (rc={proc.returncode})")
 out_path.write_text(proc.stdout)
 for line in proc.stdout.splitlines():
     if 'not creating new' in line and 'subdir/file' in line:
diff --git a/testsuite/mkpath_test.py b/testsuite/mkpath_test.py
index e257d67a2..f72cf986c 100644
--- a/testsuite/mkpath_test.py
+++ b/testsuite/mkpath_test.py
@@ -4,6 +4,7 @@
 # Test the rsync --mkpath option: it should create any missing intermediate
 # destination directories rather than erroring out.
 
+import filecmp
 import os
 import shutil
 from pathlib import Path
@@ -25,11 +26,20 @@
 deep_dir = Path('to/foo/bar/baz/down/deep')
 
 
-def assert_file(path: Path, label: str) -> None:
+def assert_file(path: Path, label: str, src: str = 'from/text') -> None:
     if not path.is_file():
         test_fail(f"{label}: {path} not found")
+    if not filecmp.cmp(path, src, shallow=False):
+        test_fail(f"{label}: {path} content differs from {src}")
 
 
+# Negative control: without --mkpath, a missing intermediate path must fail and
+# create nothing -- otherwise the --mkpath successes below prove nothing.
+rmtree('to/foo')
+proc = run_rsync('-ai', 'from/text', str(deep_dir / 'new'), check=False)
+if proc.returncode == 0 or (deep_dir / 'new').exists():
+    test_fail("a transfer WITHOUT --mkpath created the missing intermediate path")
+
 # Create several levels of dest dir (file destination — final component
 # is the new filename).
 run_rsync('-aiv', '--mkpath', 'from/text', str(deep_dir / 'new'))
@@ -53,7 +63,8 @@ def assert_file(path: Path, label: str) -> None:
 
 # Multiple source args (whole directory) — bare dest name.
 run_rsync('-aiv', '--mkpath', 'from/', str(deep_dir))
-assert_file(deep_dir / 'extra', "'extra' file in deep dir (multi-source, no trailing slash)")
+assert_file(deep_dir / 'extra', "'extra' file in deep dir (multi-source, no trailing slash)",
+            src='from/extra')
 rmtree('to/foo')
 
 # Multiple source args (whole directory) — dest with trailing slash.
diff --git a/testsuite/protected-regular_test.py b/testsuite/protected-regular_test.py
index f3e0485f0..b7d982582 100644
--- a/testsuite/protected-regular_test.py
+++ b/testsuite/protected-regular_test.py
@@ -12,7 +12,7 @@
 import sys
 from pathlib import Path
 
-from rsyncfns import TMPDIR, run_rsync, test_skipped
+from rsyncfns import TMPDIR, run_rsync, test_fail, test_skipped
 
 
 pr_path = Path('/proc/sys/fs/protected_regular')
@@ -71,3 +71,10 @@ def _chown_5001(path: Path) -> bool:
 subprocess.run(['ls', '-al', str(workdir)])
 
 run_rsync('--inplace', str(workdir / 'src'), str(workdir / 'dst'))
+
+# A zero exit isn't enough: confirm --inplace actually wrote the source bytes
+# into the protected destination (a no-op/short write would also exit 0).
+dst_content = (workdir / 'dst').read_text()
+if dst_content != "Source\n":
+    test_fail(f"--inplace did not write the source content into the protected "
+              f"dst: got {dst_content!r}")
diff --git a/testsuite/size-filter_test.py b/testsuite/size-filter_test.py
index ce5286893..4fa3a5007 100644
--- a/testsuite/size-filter_test.py
+++ b/testsuite/size-filter_test.py
@@ -10,7 +10,7 @@
 
 from rsyncfns import (
     FROMDIR, TODIR,
-    assert_exists, assert_not_exists, make_data_file, rmtree, run_rsync,
+    assert_not_exists, assert_same, make_data_file, rmtree, run_rsync,
 )
 
 src = FROMDIR
@@ -30,21 +30,25 @@ def seed():
 
 
 # --- --max-size keeps only the small files at every level -------------------
+# Compare content (not just existence) so a kept file is proven to be the
+# transferred source, not an empty/stale placeholder.
 seed()
 run_rsync('-a', '--max-size=1000', f'{src}/', f'{TODIR}/')
-cur = TODIR
+dcur, scur = TODIR, src
 for lvl in range(4):
-    assert_exists(cur / f'small{lvl}', label=f'--max-size kept small L{lvl}')
-    assert_not_exists(cur / f'large{lvl}', label=f'--max-size dropped large L{lvl}')
-    cur = cur / f'd{lvl + 1}'
+    assert_same(dcur / f'small{lvl}', scur / f'small{lvl}',
+                label=f'--max-size kept small L{lvl}')
+    assert_not_exists(dcur / f'large{lvl}', label=f'--max-size dropped large L{lvl}')
+    dcur, scur = dcur / f'd{lvl + 1}', scur / f'd{lvl + 1}'
 
 # --- --min-size keeps only the large files at every level -------------------
 seed()
 run_rsync('-a', '--min-size=1000', f'{src}/', f'{TODIR}/')
-cur = TODIR
+dcur, scur = TODIR, src
 for lvl in range(4):
-    assert_exists(cur / f'large{lvl}', label=f'--min-size kept large L{lvl}')
-    assert_not_exists(cur / f'small{lvl}', label=f'--min-size dropped small L{lvl}')
-    cur = cur / f'd{lvl + 1}'
+    assert_same(dcur / f'large{lvl}', scur / f'large{lvl}',
+                label=f'--min-size kept large L{lvl}')
+    assert_not_exists(dcur / f'small{lvl}', label=f'--min-size dropped small L{lvl}')
+    dcur, scur = dcur / f'd{lvl + 1}', scur / f'd{lvl + 1}'
 
 print("size-filter: --max-size / --min-size select correctly at depth")

From cc0499f57693fc944efe865cb3f413e0fef13c42 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 May 2026 08:20:04 +1000
Subject: [PATCH 7/8] testsuite: tighten metadata-precision and symlink-target
 assertions

Replace loose/partial oracles with exact ones:

  omit-times      under -O, require EVERY directory mtime to be omitted, not
                  just one (the old "at least one differs" missed partial bugs).
  dir-sgid        assert the created dirs' actual gid: a setgid parent makes
                  them inherit its group (set to a secondary group to be
                  discriminating), while the non-setgid case gets the process's.
  relative-implied pin a deterministic umask and assert the exact default mode
                  (0o755) for --no-implied-dirs, not merely "not the source's".
  safe-links /    compare the preserved symlink TARGET strings via readlink,
  unsafe-links    not just that a symlink exists.
  preallocate     verify do_punch_hole via st_blocks on the --inplace --sparse
                  case (guarded by a sparse-capability probe).

Note: --preallocate --sparse leaves the file fully allocated on a fresh write
(the zero run is not punched), so that case stays content-only rather than
asserting hole-punching -- see the test comment; rsync.1's claim that the
combination yields sparse blocks does not hold for the fresh-write path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 testsuite/dir-sgid_test.py         | 34 ++++++++++++++++++++++++++----
 testsuite/omit-times_test.py       | 12 +++++------
 testsuite/preallocate_test.py      |  4 ++++
 testsuite/relative-implied_test.py | 13 ++++++------
 testsuite/safe-links_test.py       |  9 +++++---
 testsuite/unsafe-links_test.py     | 23 +++++++++++---------
 6 files changed, 66 insertions(+), 29 deletions(-)

diff --git a/testsuite/dir-sgid_test.py b/testsuite/dir-sgid_test.py
index 44845aad3..bfa735ae8 100644
--- a/testsuite/dir-sgid_test.py
+++ b/testsuite/dir-sgid_test.py
@@ -10,17 +10,28 @@
 import subprocess
 
 from rsyncfns import (
-    SCRATCHDIR, check_perms, run_rsync, test_skipped,
+    SCRATCHDIR, check_perms, run_rsync, test_fail, test_skipped,
 )
 
 
 old_umask = os.umask(0o077)
 
+# A secondary group (if the user has one) lets the gid checks below be
+# discriminating: a setgid parent makes new dirs inherit the PARENT's group,
+# whereas without setgid they get the process's own group.
+prim = os.getgid()
+alt_gid = next((g for g in os.getgroups() if g != prim), None)
 
-def testit(dirname, dirperms, file_expected, prog_expected, dir_expected):
+
+def testit(dirname, dirperms, file_expected, prog_expected, dir_expected, setgid):
     """Mirror shell `testit dirname dirperms file_expected prog_expected dir_expected`."""
     todir = SCRATCHDIR / dirname
     todir.mkdir()
+    # For the setgid case, give the parent a distinct group (when available) so
+    # the inherited gid differs from the process's; chmod is applied after the
+    # chown so the setgid bit survives.
+    if setgid and alt_gid is not None:
+        os.chown(todir, -1, alt_gid)
     # dirperms is either an octal int or the symbolic shell form we translate.
     if isinstance(dirperms, int):
         os.chmod(todir, dirperms)
@@ -37,6 +48,20 @@ def testit(dirname, dirperms, file_expected, prog_expected, dir_expected):
     check_perms(todir / 'to' / 'file', file_expected)
     check_perms(todir / 'to' / 'program', prog_expected)
 
+    # With setgid set, new dirs must inherit the PARENT's group. We only assert
+    # the setgid case: it holds on both SysV/Linux and BSD, and (because the
+    # parent is given a secondary group above) still proves setgid took effect
+    # on Linux. The no-setgid case is deliberately not checked -- the inherited
+    # gid is OS-defined there (the process's group on Linux, but always the
+    # parent's on BSD), so it's not a portable assertion.
+    if setgid:
+        expect_gid = os.stat(todir).st_gid
+        for sub in ('to', 'to/dir'):
+            g = os.stat(todir / sub).st_gid
+            if g != expect_gid:
+                test_fail(f"{dirname}: {sub} gid is {g}, expected {expect_gid} "
+                          "(setgid inheritance)")
+
 
 # Cygwin's default dir ACL ruins this test; mimic the shell's getfacl skip.
 src_dir = SCRATCHDIR / 'dir'
@@ -66,7 +91,8 @@ def testit(dirname, dirperms, file_expected, prog_expected, dir_expected):
 if not (os.stat(src_dir / 'blah').st_mode & 0o2000):
     test_skipped("Your filesystem doesn't use directory setgid; maybe it's BSD.")
 
-testit('setgid-off', 0o700, 'rw-------', 'rwx------', 'rwx------')
-testit('setgid-on', 'u=rwx,g=rw,g+s,o-rwx', 'rw-------', 'rwx------', 'rwx--S---')
+testit('setgid-off', 0o700, 'rw-------', 'rwx------', 'rwx------', setgid=False)
+testit('setgid-on', 'u=rwx,g=rw,g+s,o-rwx', 'rw-------', 'rwx------', 'rwx--S---',
+       setgid=True)
 
 os.umask(old_umask)
diff --git a/testsuite/omit-times_test.py b/testsuite/omit-times_test.py
index a532c85f9..b994b9d63 100644
--- a/testsuite/omit-times_test.py
+++ b/testsuite/omit-times_test.py
@@ -31,13 +31,13 @@ def seed():
 run_rsync('-rlt', '-O', f'{src}/', f'{TODIR}/')
 for f in walk_files(src):
     assert_mtime_close(TODIR / f.relative_to(src), OLD, label=f'-O file {f.name}')
-omitted = False
+# Every directory mtime must be omitted (left at ~now), not just one of them:
+# the old "at least one differs" check would miss a bug that preserved some.
 for d in walk_dirs(src):
-    if abs(os.stat(TODIR / d.relative_to(src)).st_mtime - OLD) > 1:
-        omitted = True            # at least one dir keeps a fresh (now) mtime
-if not omitted:
-    test_fail("-O did not omit directory times -- every dir mtime matched the "
-              "source")
+    rel = d.relative_to(src)
+    if abs(os.stat(TODIR / rel).st_mtime - OLD) <= 1:
+        test_fail(f"-O preserved the mtime of directory {rel} instead of "
+                  "omitting it")
 
 # --- -J: symlink mtime omitted (where the platform records symlink mtimes) --
 seed()
diff --git a/testsuite/preallocate_test.py b/testsuite/preallocate_test.py
index db7e5e37e..47a995fea 100644
--- a/testsuite/preallocate_test.py
+++ b/testsuite/preallocate_test.py
@@ -119,6 +119,10 @@ def seed_holey(head=4096, hole=2 * 1024 * 1024, tail=4096):
 os.utime(src / deep, (st.st_atime, st.st_mtime + 100))   # force a delta update
 run_rsync('-a', '--inplace', '--sparse', '--no-whole-file', f'{src}/', f'{TODIR}/')
 assert_same(TODIR / deep, src / deep, label='--inplace --sparse content')
+if can_punch and allocated(TODIR / deep) >= os.path.getsize(TODIR / deep):
+    test_fail(f"--inplace --sparse did not punch the zero run: allocated "
+              f"{allocated(TODIR / deep)} for a {os.path.getsize(TODIR / deep)}"
+              "-byte file")
 
 print("preallocate: --preallocate (do_fallocate) + sparse hole-punching "
       "(do_punch_hole) verified at depth")
diff --git a/testsuite/relative-implied_test.py b/testsuite/relative-implied_test.py
index 167d79dfe..81d423b5c 100644
--- a/testsuite/relative-implied_test.py
+++ b/testsuite/relative-implied_test.py
@@ -9,14 +9,14 @@
 """
 
 import os
-import stat
 
 from rsyncfns import (
     SCRATCHDIR, TODIR,
     assert_mode, assert_same, forced_protocol, makepath, rmtree, run_rsync,
-    test_fail,
 )
 
+os.umask(0o022)        # make the default implied-dir mode deterministic (0o755)
+
 base = SCRATCHDIR / 'rbase'
 rmtree(base)
 rmtree(TODIR)
@@ -43,10 +43,11 @@
 else:
     rmtree(TODIR)
     run_rsync('-aR', '--no-implied-dirs', 'b/c/file', f'{TODIR}/')
-    m = stat.S_IMODE(os.stat(TODIR / 'b').st_mode)
-    if m == 0o750:
-        test_fail("--no-implied-dirs unexpectedly mirrored the source mode "
-                  "0750 onto the implied directory")
+    # The implied dir must get the default mode (0o777 & ~umask == 0o755),
+    # not the source's distinctive 0750 -- assert the exact mode, not merely
+    # "different from 0750".
+    assert_mode(TODIR / 'b', 0o755,
+                label='--no-implied-dirs uses the default mode, not source 0750')
     assert_same(TODIR / 'b' / 'c' / 'file', base / 'a' / 'b' / 'c' / 'file',
                 label='--no-implied-dirs deep file')
 
diff --git a/testsuite/safe-links_test.py b/testsuite/safe-links_test.py
index 8e1aad2f9..9a74095cd 100644
--- a/testsuite/safe-links_test.py
+++ b/testsuite/safe-links_test.py
@@ -10,9 +10,12 @@
 from rsyncfns import TMPDIR, is_a_link, run_rsync, test_fail
 
 
-def assert_symlink(path):
+def assert_symlink(path, target):
     if not is_a_link(path):
         test_fail(f"File {path} is not a symlink")
+    actual = os.readlink(path)
+    if actual != target:
+        test_fail(f"symlink {path} target is {actual!r}, expected {target!r}")
 
 
 def assert_notexist(path):
@@ -42,7 +45,7 @@ def assert_notexist(path):
 print("rsync with relative path and --safe-links")
 run_rsync('-avv', '--safe-links', 'from/safe/', 'to')
 
-assert_symlink("to/links/file1")
-assert_symlink("to/links/file2")
+assert_symlink("to/links/file1", "../files/file1")
+assert_symlink("to/links/file2", "../files/file2")
 assert_notexist("to/links/unsafefile")
 assert_notexist("to/links/unsafe2")
diff --git a/testsuite/unsafe-links_test.py b/testsuite/unsafe-links_test.py
index 3f6052815..311982f88 100644
--- a/testsuite/unsafe-links_test.py
+++ b/testsuite/unsafe-links_test.py
@@ -12,9 +12,12 @@
 from rsyncfns import TMPDIR, is_a_link, rmtree, run_rsync, test_fail
 
 
-def assert_symlink(path):
+def assert_symlink(path, target):
     if not is_a_link(path):
         test_fail(f"File {path} is not a symlink")
+    actual = os.readlink(path)
+    if actual != target:
+        test_fail(f"symlink {path} target is {actual!r}, expected {target!r}")
 
 
 def assert_regular(path):
@@ -41,9 +44,9 @@ def assert_regular(path):
 
 print("rsync with relative path and just -a")
 run_rsync('-avv', 'from/safe/', 'to')
-assert_symlink("to/links/file1")
-assert_symlink("to/links/file2")
-assert_symlink("to/links/unsafefile")
+assert_symlink("to/links/file1", "../files/file1")
+assert_symlink("to/links/file2", "../files/file2")
+assert_symlink("to/links/unsafefile", "../../unsafe/unsafefile")
 
 print("rsync with relative path and -a --copy-links")
 run_rsync('-avv', '--copy-links', 'from/safe/', 'to')
@@ -53,8 +56,8 @@ def assert_regular(path):
 
 print("rsync with relative path and --copy-unsafe-links")
 run_rsync('-avv', '--copy-unsafe-links', 'from/safe/', 'to')
-assert_symlink("to/links/file1")
-assert_symlink("to/links/file2")
+assert_symlink("to/links/file1", "../files/file1")
+assert_symlink("to/links/file2", "../files/file2")
 assert_regular("to/links/unsafefile")
 
 rmtree("to")
@@ -67,13 +70,13 @@ def assert_regular(path):
     run_rsync('-avv', '--copy-unsafe-links', 'safe/', '../to')
 finally:
     os.chdir(saved)
-assert_symlink("to/links/file1")
-assert_symlink("to/links/file2")
+assert_symlink("to/links/file1", "../files/file1")
+assert_symlink("to/links/file2", "../files/file2")
 assert_regular("to/links/unsafefile")
 
 rmtree("to")
 print("rsync with absolute path")
 run_rsync('-avv', '--copy-unsafe-links', f'{os.getcwd()}/from/safe/', 'to')
-assert_symlink("to/links/file1")
-assert_symlink("to/links/file2")
+assert_symlink("to/links/file1", "../files/file1")
+assert_symlink("to/links/file2", "../files/file2")
 assert_regular("to/links/unsafefile")

From c63baf82bd83d3ae2d516682b2ee754ef704b4f0 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 May 2026 08:23:11 +1000
Subject: [PATCH 8/8] testsuite: close minor assertion gaps

  symlink-dirlink-basis  assert the --backup file holds the pre-update content,
                         not merely that the backup file exists.
  acls-default           check that clearing the inherited default ACL actually
                         succeeded, so the no-default-ACL cases can't silently
                         test against the scratch dir's seeded default ACL.
  alt-dest               assert --copy-dest produces a distinct inode from the
                         alt-dir candidate (a copy, not a hard link) -- the
                         property that distinguishes it from --link-dest, which
                         checkit's tree comparison alone doesn't capture.

(crtimes' "independently pin the historical create time" gap is left as-is: the
touch-trick pinning is APFS-specific and not locally verifiable, and a mistuned
probe would make the test skip on macOS and break its expected-skip set.)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 testsuite/acls-default_test.py          | 9 ++++++---
 testsuite/alt-dest_test.py              | 9 ++++++++-
 testsuite/symlink-dirlink-basis_test.py | 4 ++++
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/testsuite/acls-default_test.py b/testsuite/acls-default_test.py
index 66c8cef41..e780de66d 100644
--- a/testsuite/acls-default_test.py
+++ b/testsuite/acls-default_test.py
@@ -12,7 +12,7 @@
 
 from rsyncfns import (
     SCRATCHDIR,
-    check_perms, run_rsync, test_skipped,
+    check_perms, run_rsync, test_fail, test_skipped,
 )
 
 
@@ -41,8 +41,11 @@ def testit(dirname, default_acl, file_expected, prog_expected):
     a transfer into a fresh subdir picks up the inherited perms."""
     todir = SCRATCHDIR / dirname
     todir.mkdir()
-    # Clear any inherited default ACL first.
-    subprocess.run(shlex.split(setfacl_nodef) + [str(todir)])
+    # Clear any inherited default ACL first -- and confirm it succeeded, so the
+    # no-default-ACL cases can't silently inherit the scratch dir's seeded
+    # default ACL and test the wrong base state.
+    if subprocess.run(shlex.split(setfacl_nodef) + [str(todir)]).returncode != 0:
+        test_fail(f"{dirname}: clearing the inherited default ACL failed")
     if default_acl:
         if '-k' in setfacl_nodef.split():
             opts = ['-dm', default_acl]
diff --git a/testsuite/alt-dest_test.py b/testsuite/alt-dest_test.py
index 7530bd5a2..07389d456 100644
--- a/testsuite/alt-dest_test.py
+++ b/testsuite/alt-dest_test.py
@@ -12,7 +12,7 @@
 
 from rsyncfns import (
     CHKDIR, FROMDIR, RSYNC, SCRATCHDIR, SRCDIR, TMPDIR, TODIR,
-    checkit, hands_setup, rmtree, run_rsync,
+    checkit, hands_setup, rmtree, run_rsync, test_fail,
 )
 
 
@@ -62,6 +62,13 @@
     rmtree(TODIR)
     checkit(['-av', *maybe_inplace, f'--copy-dest={alt3dir}',
              f'{FROMDIR}/', f'{TODIR}/'], FROMDIR, TODIR)
+    # --copy-dest must COPY the unchanged candidate, not hard-link it: the
+    # result is a distinct inode from the alt-dir source (this is the property
+    # that distinguishes --copy-dest from --link-dest, which checkit's tree
+    # comparison alone does not capture).
+    if os.stat(TODIR / 'likely').st_ino == os.stat(alt3dir / 'likely').st_ino:
+        test_fail(f"--copy-dest{' --inplace' if maybe_inplace else ''} "
+                  "hard-linked 'likely' instead of copying it")
 
     for srchost in ('', 'localhost:'):
         desthost = 'localhost:' if not srchost else ''
diff --git a/testsuite/symlink-dirlink-basis_test.py b/testsuite/symlink-dirlink-basis_test.py
index fd880144a..8c52e13f9 100644
--- a/testsuite/symlink-dirlink-basis_test.py
+++ b/testsuite/symlink-dirlink-basis_test.py
@@ -132,6 +132,7 @@ def assert_same(label: str, a, b) -> None:
 
 push('-KRlptv', 'dir/file', 'localhost:', label="test 4 initial")
 
+old_content = (srcbase / 'dir' / 'file').read_bytes()   # the backup should hold this
 with open(srcbase / 'dir' / 'file', 'ab') as f:
     f.write(b"backup update\n")
 time.sleep(1)
@@ -141,6 +142,9 @@ def assert_same(label: str, a, b) -> None:
 assert_same("test 4 update", srcbase / 'dir' / 'file', home / 'real-dir' / 'file')
 if not (home / 'real-dir' / 'file~').is_file():
     test_fail("test 4: backup file was not created")
+# The backup must hold the OLD content, not just exist.
+if (home / 'real-dir' / 'file~').read_bytes() != old_content:
+    test_fail("test 4: backup file~ does not hold the pre-update content")
 
 
 # Test 5: --inplace.