Skip to content

Home directory for non-existent user should not fall back to /var/empty or %ALLUSERSPROFILE% #1072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 6, 2024
Merged

Home directory for non-existent user should not fall back to /var/empty or %ALLUSERSPROFILE% #1072

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion Sources/FoundationEssentials/FileManager/FileManager+Directories.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,13 @@ extension _FileManagerImpl {
}

func homeDirectory(forUser userName: String?) -> URL? {
URL(filePath: String.homeDirectoryPath(forUser: userName), directoryHint: .isDirectory)
guard let userName else {
return homeDirectoryForCurrentUser
}
guard let path = String.homeDirectoryPath(forUser: userName) else {
return nil
}
return URL(filePath: path, directoryHint: .isDirectory)
}

var temporaryDirectory: URL {
Expand Down
171 changes: 92 additions & 79 deletions Sources/FoundationEssentials/String/String+Path.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -422,86 +422,42 @@ extension String {
// MARK: - Filesystem String Extensions

#if !NO_FILESYSTEM

internal static func homeDirectoryPath(forUser user: String? = nil) -> String {
internal static func homeDirectoryPath() -> String {
#if os(Windows)
if let user {
func fallbackUserDirectory() -> String {
guard let fallback = ProcessInfo.processInfo.environment["ALLUSERSPROFILE"] else {
fatalError("Unable to find home directory for user \(user) and ALLUSERSPROFILE environment variable is not set")
}

return fallback
}

guard !user.isEmpty else {
return fallbackUserDirectory()
func fallbackCurrentUserDirectory() -> String {
guard let fallback = ProcessInfo.processInfo.environment["ALLUSERSPROFILE"] else {
fatalError("Unable to find home directory for current user and ALLUSERSPROFILE environment variable is not set")
}

return user.withCString(encodedAs: UTF16.self) { pwszUserName in
var cbSID: DWORD = 0
var cchReferencedDomainName: DWORD = 0
var eUse: SID_NAME_USE = SidTypeUnknown
LookupAccountNameW(nil, pwszUserName, nil, &cbSID, nil, &cchReferencedDomainName, &eUse)
guard cbSID > 0 else {
return fallbackUserDirectory()
}

return withUnsafeTemporaryAllocation(of: CChar.self, capacity: Int(cbSID)) { pSID in
return withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(cchReferencedDomainName)) { pwszReferencedDomainName in
guard LookupAccountNameW(nil, pwszUserName, pSID.baseAddress, &cbSID, pwszReferencedDomainName.baseAddress, &cchReferencedDomainName, &eUse) else {
return fallbackUserDirectory()
}

var pwszSID: LPWSTR? = nil
guard ConvertSidToStringSidW(pSID.baseAddress, &pwszSID) else {
fatalError("unable to convert SID to string for user \(user)")
}

return #"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\\#(String(decodingCString: pwszSID!, as: UTF16.self))"#.withCString(encodedAs: UTF16.self) { pwszKeyPath in
return "ProfileImagePath".withCString(encodedAs: UTF16.self) { pwszKey in
var cbData: DWORD = 0
RegGetValueW(HKEY_LOCAL_MACHINE, pwszKeyPath, pwszKey, RRF_RT_REG_SZ, nil, nil, &cbData)
guard cbData > 0 else {
fatalError("unable to query ProfileImagePath for user \(user)")
}
return withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(cbData)) { pwszData in
guard RegGetValueW(HKEY_LOCAL_MACHINE, pwszKeyPath, pwszKey, RRF_RT_REG_SZ, nil, pwszData.baseAddress, &cbData) == ERROR_SUCCESS else {
fatalError("unable to query ProfileImagePath for user \(user)")
}
return String(decodingCString: pwszData.baseAddress!, as: UTF16.self)
}
}
}

}
}
}
return fallback
}

var hToken: HANDLE? = nil
guard OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken) else {
guard let UserProfile = ProcessInfo.processInfo.environment["UserProfile"] else {
fatalError("unable to evaluate `%UserProfile%`")
return fallbackCurrentUserDirectory()
}
return UserProfile
}
defer { CloseHandle(hToken) }

var dwcchSize: DWORD = 0
_ = GetUserProfileDirectoryW(hToken, nil, &dwcchSize)

return withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(dwcchSize)) {
var dwcchSize: DWORD = DWORD($0.count)
guard GetUserProfileDirectoryW(hToken, $0.baseAddress, &dwcchSize) else {
fatalError("unable to query user profile directory")
return fallbackCurrentUserDirectory()
}
return String(decodingCString: $0.baseAddress!, as: UTF16.self)
}
#else // os(Windows)

#else


#if targetEnvironment(simulator)
if user == nil, let envValue = getenv("CFFIXED_USER_HOME") ?? getenv("HOME") {
// Simulator checks these environment variables first for the current user
if let envValue = getenv("CFFIXED_USER_HOME") ?? getenv("HOME") {
return String(cString: envValue).standardizingPath
}
#endif
Expand All @@ -512,28 +468,81 @@ extension String {
}

#if !os(WASI) // WASI does not have user concept
// Next, attempt to find the home directory via getpwnam/getpwuid
if let user {
if let dir = Platform.homeDirectory(forUserName: user) {
return dir.standardizingPath
}
} else {
// We use the real UID instead of the EUID here when the EUID is the root user (i.e. a process has called seteuid(0))
// In this instance, we historically do this to ensure a stable home directory location for processes that call seteuid(0)
if let dir = Platform.homeDirectory(forUID: Platform.getUGIDs(allowEffectiveRootUID: false).uid) {
return dir.standardizingPath
}
// Next, attempt to find the home directory via getpwuid
// We use the real UID instead of the EUID here when the EUID is the root user (i.e. a process has called seteuid(0))
// In this instance, we historically do this to ensure a stable home directory location for processes that call seteuid(0)
if let dir = Platform.homeDirectory(forUID: Platform.getUGIDs(allowEffectiveRootUID: false).uid) {
return dir.standardizingPath
}
#endif // !os(WASI)

#endif
// Fallback to HOME for the current user if possible
if user == nil, let home = getenv("HOME") {
if let home = getenv("HOME") {
return String(cString: home).standardizingPath
}

// If all else fails, log and fall back to /var/empty
// If all else fails, fall back to /var/empty
return "/var/empty"
#endif // os(Windows)
#endif
}

internal static func homeDirectoryPath(forUser user: String) -> String? {
#if os(Windows)
guard !user.isEmpty else {
return nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we return nil for empty user on non-Windows platforms, too?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I see that Platform.homeDirectory(forUserName: "") returns nil.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we have some unit tests that check for this behavior that aren't platform specific so in the end I think the behavior matches, but happy to restructure if you think this should be moved out of the #if block

}

return user.withCString(encodedAs: UTF16.self) { pwszUserName in
var cbSID: DWORD = 0
var cchReferencedDomainName: DWORD = 0
var eUse: SID_NAME_USE = SidTypeUnknown
LookupAccountNameW(nil, pwszUserName, nil, &cbSID, nil, &cchReferencedDomainName, &eUse)
guard cbSID > 0 else {
return nil
}

return withUnsafeTemporaryAllocation(of: CChar.self, capacity: Int(cbSID)) { pSID in
return withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(cchReferencedDomainName)) { pwszReferencedDomainName in
guard LookupAccountNameW(nil, pwszUserName, pSID.baseAddress, &cbSID, pwszReferencedDomainName.baseAddress, &cchReferencedDomainName, &eUse) else {
return nil
}

var pwszSID: LPWSTR? = nil
guard ConvertSidToStringSidW(pSID.baseAddress, &pwszSID) else {
fatalError("unable to convert SID to string for user \(user)")
}

return #"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\\#(String(decodingCString: pwszSID!, as: UTF16.self))"#.withCString(encodedAs: UTF16.self) { pwszKeyPath in
return "ProfileImagePath".withCString(encodedAs: UTF16.self) { pwszKey in
var cbData: DWORD = 0
RegGetValueW(HKEY_LOCAL_MACHINE, pwszKeyPath, pwszKey, RRF_RT_REG_SZ, nil, nil, &cbData)
guard cbData > 0 else {
fatalError("unable to query ProfileImagePath for user \(user)")
}
return withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(cbData)) { pwszData in
guard RegGetValueW(HKEY_LOCAL_MACHINE, pwszKeyPath, pwszKey, RRF_RT_REG_SZ, nil, pwszData.baseAddress, &cbData) == ERROR_SUCCESS else {
fatalError("unable to query ProfileImagePath for user \(user)")
}
return String(decodingCString: pwszData.baseAddress!, as: UTF16.self)
}
}
}

}
}
}
#else
// First check CFFIXED_USER_HOME if the environment is not considered tainted
if let envVar = Platform.getEnvSecure("CFFIXED_USER_HOME") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed this. The behavior appears consistent with CFCopyHomeDirectoryURLForUser, but I'm not sure it's correct. 😓 An issue for a different day, perhaps.

Copy link
Contributor Author

@jmschonfeld jmschonfeld Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it did seem a bit weird that CFFIXED_USER_HOME affects all users and not just the current user, but I agree probably an issue to address separately to minimize the behavioral changes of this patch (this was sort of easily overlooked before but is now very clear since the implementations for current vs. specific user are split)

return envVar.standardizingPath
}
#if !os(WASI) // WASI does not have user concept
// Next, attempt to find the home directory via getpwnam
return Platform.homeDirectory(forUserName: user)?.standardizingPath
#else
return nil
#endif
#endif
}

// From swift-corelibs-foundation's NSTemporaryDirectory. Internal for now, pending a better public API.
Expand Down Expand Up @@ -669,13 +678,17 @@ extension String {

private var _expandingTildeInPath: String {
guard utf8.first == UInt8(ascii: "~") else { return self }
var user: String? = nil
let firstSlash = utf8.firstIndex(of: ._slash) ?? endIndex
let indexAfterTilde = utf8.index(after: startIndex)
var userDir: String
if firstSlash != indexAfterTilde {
user = String(self[indexAfterTilde ..< firstSlash])
guard let dir = String.homeDirectoryPath(forUser: String(self[indexAfterTilde ..< firstSlash])) else {
return self
}
userDir = dir
} else {
userDir = String.homeDirectoryPath()
}
let userDir = String.homeDirectoryPath(forUser: user)
return userDir + self[firstSlash...]
}

Expand Down
10 changes: 2 additions & 8 deletions Tests/FoundationEssentialsTests/FileManager/FileManagerTests.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1039,14 +1039,8 @@ final class FileManagerTests : XCTestCase {
#if canImport(Darwin) && !os(macOS)
throw XCTSkip("This test is not applicable on this platform")
#else
#if os(Windows)
let fallbackPath = URL(filePath: try XCTUnwrap(ProcessInfo.processInfo.environment["ALLUSERSPROFILE"]), directoryHint: .isDirectory)
#else
let fallbackPath = URL(filePath: "/var/empty", directoryHint: .isDirectory)
#endif

XCTAssertEqual(FileManager.default.homeDirectory(forUser: ""), fallbackPath)
XCTAssertEqual(FileManager.default.homeDirectory(forUser: UUID().uuidString), fallbackPath)
XCTAssertNil(FileManager.default.homeDirectory(forUser: ""))
XCTAssertNil(FileManager.default.homeDirectory(forUser: UUID().uuidString))
#endif
}

Expand Down