home-manager: verify username and home directory

The generation activation script should be run by the user specified
in `home.username` and `home.homeDirectory`. If some other user runs
the activation script, then files may end up in the wrong place or
with the wrong owner.

This commits adds a check early in the activation script that verifies
that the running user match the user in the configuration.

Fixes #4019
This commit is contained in:
Robert Helgesson 2023-05-26 15:11:22 +02:00
parent bec196cd9b
commit 6a19225683
No known key found for this signature in database
GPG key ID: 36BDAA14C2797E89
4 changed files with 39 additions and 10 deletions

View file

@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Home Manager\n"
"Report-Msgid-Bugs-To: https://github.com/nix-community/home-manager/issues\n"
"POT-Creation-Date: 2023-04-11 22:44+0200\n"
"POT-Creation-Date: 2023-05-27 09:08+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"

View file

@ -704,6 +704,9 @@ in
${builtins.readFile ./lib-bash/activation-init.sh}
checkUsername ${escapeShellArg config.home.username}
checkHomeDirectory ${escapeShellArg config.home.homeDirectory}
${activationCmds}
'';
in

18
modules/lib-bash/activation-init.sh Normal file → Executable file
View file

@ -88,6 +88,24 @@ function setupVars() {
fi
}
function checkUsername() {
local expectedUser="$1"
if [[ "$USER" != "$expectedUser" ]]; then
_iError 'Error: USER is set to "%s" but we expect "%s"' "$USER" "$expectedUser"
exit 1
fi
}
function checkHomeDirectory() {
local expectedHome="$1"
if ! [[ $HOME -ef $expectedHome ]]; then
_iError 'Error: HOME is set to "%s" but we expect "%s"' "$HOME" "$expectedHome"
exit 1
fi
}
if [[ -v VERBOSE ]]; then
export VERBOSE_ECHO=echo
export VERBOSE_ARG="--verbose"

View file

@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: Home Manager Modules\n"
"Report-Msgid-Bugs-To: https://github.com/nix-community/home-manager/issues\n"
"POT-Creation-Date: 2023-04-11 22:44+0200\n"
"POT-Creation-Date: 2023-05-27 09:08+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@ -33,7 +33,7 @@ msgstr ""
msgid "No change so reusing latest profile generation %s"
msgstr ""
#: modules/home-environment.nix:625
#: modules/home-environment.nix:627
msgid ""
"Oops, Nix failed to install your new Home Manager profile!\n"
"\n"
@ -49,7 +49,7 @@ msgid ""
"Then try activating your Home Manager configuration again."
msgstr ""
#: modules/home-environment.nix:658
#: modules/home-environment.nix:660
msgid "Activating %s"
msgstr ""
@ -81,26 +81,34 @@ msgid ""
"and trying home-manager switch again. Good luck!"
msgstr ""
#: modules/lib-bash/activation-init.sh:101
#: modules/lib-bash/activation-init.sh:95
msgid "Error: USER is set to \"%s\" but we expect \"%s\""
msgstr ""
#: modules/lib-bash/activation-init.sh:104
msgid "Error: HOME is set to \"%s\" but we expect \"%s\""
msgstr ""
#: modules/lib-bash/activation-init.sh:119
msgid "Starting Home Manager activation"
msgstr ""
#: modules/lib-bash/activation-init.sh:105
#: modules/lib-bash/activation-init.sh:123
msgid "Sanity checking Nix"
msgstr ""
#: modules/lib-bash/activation-init.sh:112
#: modules/lib-bash/activation-init.sh:133
msgid "This is a dry run"
msgstr ""
#: modules/lib-bash/activation-init.sh:116
#: modules/lib-bash/activation-init.sh:137
msgid "This is a live run"
msgstr ""
#: modules/lib-bash/activation-init.sh:122
#: modules/lib-bash/activation-init.sh:143
msgid "Using Nix version: %s"
msgstr ""
#: modules/lib-bash/activation-init.sh:125
#: modules/lib-bash/activation-init.sh:146
msgid "Activation variables:"
msgstr ""