Automated testing of privileged operations

How do you unit/integration test code that requires a different privilege level than exists in your continuous integration environment?

In my non-root, CCRB-driven build environment, I've got some utility functions that assume privileges that don't hold i开发者_运维知识库n my automated build environment: either root privileges or special accounts and groups. (For example, one function changes UID/GID and supplementary groups to a specified account, changes root and current working directory, and divorces from any controlling terminal.)

We could run the tests by hand, of course, but then we might forget to run them.

How have others tackled this issue?

I would try to factor out the security management code behind a mockable interface, so that in unit tests I can provide fake privileges however I want.

This way it would be possible to test both that barring the required privileges the function fails, and that with the privileges granted it does what it is supposed to do.

Without more concrete details it is hard to say more.