diff --git a/.github/workflows/_integration_tests.yml b/.github/workflows/_integration_tests.yml
index 10c9f2cfc..f423b4699 100644
--- a/.github/workflows/_integration_tests.yml
+++ b/.github/workflows/_integration_tests.yml
@@ -106,6 +106,7 @@ jobs:
           direct-download-roaming-network,
           dns-failsafe, # Uses the default DNS control method
           dns-nm,
+          linux-group,  # Stub, doesn't run Firezone code yet
           relay-graceful-shutdown,
           relayed-curl-api-down,
           relayed-curl-api-restart,
diff --git a/scripts/tests/linux-group.sh b/scripts/tests/linux-group.sh
new file mode 100755
index 000000000..d41817a96
--- /dev/null
+++ b/scripts/tests/linux-group.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# The integration tests call this to test security for Linux IPC.
+# Only users in the `firezone` group should be able to control the privileged tunnel process.
+
+set -euo pipefail
+
+FZ_GROUP="firezone"
+
+sudo groupadd "$FZ_GROUP"
+
+# Make sure we don't belong to the group yet
+(groups | grep "$FZ_GROUP") && exit 1
+
+# TODO: Expect Firezone to reject our commands here
+
+sudo gpasswd --add "$USER" "$FZ_GROUP"
+
+# Start a new login shell to update our groups, and check again
+sudo su --login "$USER" --command groups | grep "$FZ_GROUP"
+
+# TODO: Expect Firezone to accept our commands if we run with `su --login`