Ignore non-writeable HOME (microsoft/vscode-remote-release#10707)

Author: chrmarti

src/spec-common/injectHeadless.ts

@@ -244,7 +244,7 @@ export async function getContainerProperties(options: {
 		params.output.write(toWarningText(`User ${containerUser} not found with 'getent passwd'.`));
 	}
 	const shell = await getUserShell(containerEnv, passwdUser);
-	const homeFolder = await getHomeFolder(containerEnv, passwdUser);
+	const homeFolder = await getHomeFolder(shellServer, containerEnv, passwdUser);
 	const userDataFolder = getUserDataFolder(homeFolder, params);
 	let rootShellServerP: Promise<ShellServer> | undefined;
 	if (rootShellServer) {
@@ -278,8 +278,19 @@ export async function getUser(shellServer: ShellServer) {
 	return (await shellServer.exec('id -un')).stdout.trim();
 }
 
-export async function getHomeFolder(containerEnv: NodeJS.ProcessEnv, passwdUser: PasswdUser | undefined) {
-	return containerEnv.HOME || (passwdUser && passwdUser.home) || '/root';
+export async function getHomeFolder(shellServer: ShellServer, containerEnv: NodeJS.ProcessEnv, passwdUser: PasswdUser | undefined) {
+	if (containerEnv.HOME) {
+		if (containerEnv.HOME === passwdUser?.home || passwdUser?.uid === '0') {
+			return containerEnv.HOME;
+		}
+		try {
+			await shellServer.exec(`[ ! -e '${containerEnv.HOME}' ] || [ -w '${containerEnv.HOME}' ]`);
+			return containerEnv.HOME;
+		} catch {
+			// Exists but not writable.
+		}
+	}
+	return passwdUser?.home || '/root';
 }
 
 async function getUserShell(containerEnv: NodeJS.ProcessEnv, passwdUser: PasswdUser | undefined) {

src/test/getHomeFolder.test.ts

@@ -0,0 +1,46 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as assert from 'assert';
+import { shellExec, output } from './testUtils';
+import { dockerExecFunction } from '../spec-shutdown/dockerUtils';
+import { plainExec } from '../spec-common/commonUtils';
+import { launch } from '../spec-common/shellServer';
+import { getHomeFolder, getUserFromPasswdDB } from '../spec-common/injectHeadless';
+
+describe('getHomeFolder', function () {
+	this.timeout('20s');
+
+	it(`should ignore non-writeable HOME`, async () => {
+		const res = await shellExec(`docker run -d mcr.microsoft.com/devcontainers/base:latest sleep inf`);
+		const containerId = res.stdout.trim();
+		
+		const vscodeShellServer = await launchShellServer(containerId, 'vscode');
+		const vscodeUser = await getUserFromPasswdDB(vscodeShellServer, 'vscode');
+		assert.ok(vscodeUser);
+
+		assert.strictEqual(await getHomeFolder(vscodeShellServer, {}, vscodeUser), '/home/vscode');
+		assert.strictEqual(await getHomeFolder(vscodeShellServer, { HOME: '/root' }, vscodeUser), '/home/vscode');
+		assert.strictEqual(await getHomeFolder(vscodeShellServer, { HOME: '/home/vscode' }, vscodeUser), '/home/vscode');
+		assert.strictEqual(await getHomeFolder(vscodeShellServer, { HOME: '/home/vscode/foo' }, vscodeUser), '/home/vscode/foo');
+
+		const rootServer = await launchShellServer(containerId, 'root');
+		const rootUser = await getUserFromPasswdDB(rootServer, 'root');
+		assert.ok(rootUser);
+
+		assert.strictEqual(await getHomeFolder(rootServer, {}, rootUser), '/root');
+		assert.strictEqual(await getHomeFolder(rootServer, { HOME: '/home/vscode' }, rootUser), '/home/vscode');
+	});
+
+	async function launchShellServer(containerId: string, username: string) {
+		const exec = dockerExecFunction({
+			exec: plainExec(undefined),
+			cmd: 'docker',
+			env: {},
+			output,
+		}, containerId, username);
+		return launch(exec, output);
+	}
+});