From e7e8ad1e354cc3b3bdedeabd145bda0983beb5f2 Mon Sep 17 00:00:00 2001
From: Tom Butler <tom@r.je>
Date: Tue, 9 Jul 2024 22:09:09 +0100
Subject: [PATCH] nixos: Set home directory parent tree permissions to 0755

When the user's home directory is created using `createHome` e.g.

```
users.users.alice = {
    home = "/users/alice";
    createHome = true;
};
```

The `/users` directory was created with the same permissions as `/users/alice`, `0700` by default.

The parent directory `/users` permissions results in `createHome` creating a home directory that is inaccessible to the user:

```
$ su alice
$ cd /user/alice
cd: permission denied: /users/alice
```

The underlying cause is `make_path($u->{home}, { mode => oct($u->{homeMode}) })` which sets, in the example above`, `/users` to `0700`. Instead it should be `0755` like other system directories `/var`, `/dev`, etc.
---
 nixos/modules/config/update-users-groups.pl | 2 +-
 nixos/tests/user-home-mode.nix              | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl
index 7c6851473f42..f0b692a759d1 100644
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@@ -234,7 +234,7 @@ foreach my $u (@{$spec->{users}}) {
 
     # Ensure home directory incl. ownership and permissions.
     if ($u->{createHome} and !$is_dry) {
-        make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home};
+        make_path($u->{home}, { mode => 0755 }) if ! -e $u->{home};
         chown $u->{uid}, $u->{gid}, $u->{home};
         chmod oct($u->{homeMode}), $u->{home};
     }
diff --git a/nixos/tests/user-home-mode.nix b/nixos/tests/user-home-mode.nix
index 070cb0b75cc9..2d6d1af3f391 100644
--- a/nixos/tests/user-home-mode.nix
+++ b/nixos/tests/user-home-mode.nix
@@ -12,6 +12,12 @@ import ./make-test-python.nix ({ lib, ... }: {
       isNormalUser = true;
       homeMode = "750";
     };
+    users.users.carol = {
+      initialPassword = "pass3";
+      isNormalUser = true;
+      createHome = true;
+      home = "/users/carol";
+    };
   };
 
   testScript = ''
@@ -23,5 +29,7 @@ import ./make-test-python.nix ({ lib, ... }: {
     machine.send_chars("pass1\n")
     machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]')
     machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]')
+    machine.succeed('[ "$(stat -c %a /users)" == "755" ]')
+    machine.succeed('[ "$(stat -c %a /users/carol)" == "700" ]')
   '';
 })