pg_embedded_setup_unpriv detects its effective user ID at runtime. Root
processes follow the privileged branch and complete all filesystem work as
nobody; non-root invocations leave permissions untouched and keep the
caller’s UID on the runtime directories.
Both flows create the runtime directory with mode 0700 and the data
directory with mode 0700. Existing directories are re-chowned or re-mode’d
to enforce the expected invariants, allowing two consecutive runs to succeed
without manual cleanup.
The XDG cache home stays 0755 so team-mates can inspect extracted binaries
and logs when debugging CI issues. The runtime directory is clamped to 0700
because it holds the PostgreSQL socket, postmaster.pid, and .pgpass, so
leaking read or execute access would expose credentials or let other users
interfere with the helper’s cluster lifecycle.
Behavioural tests driven by rstest-bdd exercise both branches to guard
against regressions in privilege detection or ownership management.