test(linux-client): check if we can add the user to a group in a CI test (#4600)

Refs #4513

The next step after this is to use this to test security in the Linux
IPC code, it should reject any IPC commands from users not in the
`firezone` group.

.github/workflows/_integration_tests.yml

@@ -106,6 +106,7 @@ jobs:
           direct-download-roaming-network,
           dns-failsafe, # Uses the default DNS control method
           dns-nm,
+          linux-group,  # Stub, doesn't run Firezone code yet
           relay-graceful-shutdown,
           relayed-curl-api-down,
           relayed-curl-api-restart,

scripts/tests/linux-group.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# The integration tests call this to test security for Linux IPC.
+# Only users in the `firezone` group should be able to control the privileged tunnel process.
+
+set -euo pipefail
+
+FZ_GROUP="firezone"
+
+sudo groupadd "$FZ_GROUP"
+
+# Make sure we don't belong to the group yet
+(groups | grep "$FZ_GROUP") && exit 1
+
+# TODO: Expect Firezone to reject our commands here
+
+sudo gpasswd --add "$USER" "$FZ_GROUP"
+
+# Start a new login shell to update our groups, and check again
+sudo su --login "$USER" --command groups | grep "$FZ_GROUP"
+
+# TODO: Expect Firezone to accept our commands if we run with `su --login`