Verify $HOME exists and is owned by current user in getHome()

Useful because a default `sudo` on darwin doesn't clear `$HOME`, so things like `sudo nix-channel --list` will surprisingly return the USER'S channels, rather than `root`'s. Other counterintuitive outcomes can be seen in this PR description: #6622
NixOS · Jun 17, 2022 · ab5c922 · ab5c922
1 parent 9f58df4
commit ab5c922
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
@@ -574,6 +574,14 @@ Path getHome()
     static Path homeDir = []()
     {
         auto homeDir = getEnv("HOME");
+        if (homeDir) {
+            // Only use $HOME if it exists and is owned by the current user.
+            struct stat st;
+            if (stat(homeDir->c_str(), &st) || st.st_uid != geteuid()) {
+                // Couldn't stat $HOME, or the location wasn't owned by the current user
+                homeDir.reset();
+            }
+        }
         if (!homeDir) {
             std::vector<char> buf(16384);
             struct passwd pwbuf;

diff --git a/tests/config.sh b/tests/config.sh
@@ -4,6 +4,10 @@ source common.sh
 # Other tests (e.g. flake registry tests) could be writing to $HOME in parallel.
 export HOME=$TEST_ROOT/userhome
 
+# If home didn't exist or wasn't owned by this user, nix would have reverted to
+# using the homedir entry from /etc/passwd instead.
+mkdir $HOME
+
 # Test that using XDG_CONFIG_HOME works
 # Assert the config folder didn't exist initially.
 [ ! -e "$HOME/.config" ]

diff --git a/tests/tarball.sh b/tests/tarball.sh
@@ -3,6 +3,9 @@ source common.sh
 clearStore
 
 rm -rf $TEST_HOME
+# If home didn't exist or wasn't owned by this user, nix would have reverted to
+# using the homedir entry from /etc/passwd instead.
+mkdir $TEST_HOME
 
 tarroot=$TEST_ROOT/tarball
 rm -rf $tarroot