Relax mkdir/rchown subpath of home check to owns a parent dir

"the user owns a parent directory" is a lot less strict than being under the home directory, but allows using shared directories that are not mounted under home, and at least requires some explicit config to create the directory before it can be used rather than just being any directory the user is able to create.
systemd · Mar 19, 2024 · 2a9bbec · 2a9bbec
1 parent 009508e
commit 2a9bbec
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/mkosi/user.py b/mkosi/user.py
@@ -64,7 +64,7 @@ def cache_dir(cls) -> Path:
 
     @classmethod
     def mkdir(cls, path: Path) -> Path:
-        cond = not cls.invoked_as_root or (cls.is_regular_user() and path.is_relative_to(cls.home()))
+        cond = not cls.invoked_as_root or (cls.is_regular_user() and any(p.stat().st_uid == cls.uid for p in path.parents))
         run(
             ["mkdir", "--parents", path],
             user=cls.uid if cond else os.getuid(),
@@ -75,7 +75,7 @@ def mkdir(cls, path: Path) -> Path:
 
     @classmethod
     def rchown(cls, path: Path) -> None:
-        if cls.is_regular_user() and path.is_relative_to(INVOKING_USER.home()) and path.exists():
+        if cls.is_regular_user() and any(p.stat().st_uid == cls.uid for p in path.parents) and path.exists():
             run(["chown", "--recursive", f"{INVOKING_USER.uid}:{INVOKING_USER.gid}", path])