Fallback to root when user's home directory is not accessible

constants.go

@@ -536,6 +536,10 @@ const (
 	// HomeDirNotFound is returned when a the "teleport checkhomedir" command cannot
 	// find the user's home directory.
 	HomeDirNotFound = 254
+	// HomeDirNotAccessible is returned when a the "teleport checkhomedir" command has
+	// found the user's home directory, but the user does NOT have permissions to
+	// access it.
+	HomeDirNotAccessible = 253
 )
 
 // MaxEnvironmentFileLines is the maximum number of lines in a environment file.

lib/srv/reexec.go

@@ -866,16 +866,24 @@ func getConnFile(conn net.Conn) (*os.File, error) {
 	}
 }
 
-// runCheckHomeDir check's if the active user's $HOME dir exists.
+// runCheckHomeDir check's if the active user's $HOME dir exists and is accessible.
 func runCheckHomeDir() (errw io.Writer, code int, err error) {
-	home, err := os.UserHomeDir()
+	currentUser, err := user.Current()
 	if err != nil {
-		return io.Discard, teleport.HomeDirNotFound, nil
+		return io.Discard, teleport.HomeDirNotAccessible, nil
 	}
-	if !utils.IsDir(home) {
-		return io.Discard, teleport.HomeDirNotFound, nil
+
+	err = HasAccessibleHomeDir(currentUser)
+	switch {
+	case trace.IsNotFound(err):
+		code = teleport.HomeDirNotFound
+	case trace.IsAccessDenied(err):
+		code = teleport.HomeDirNotAccessible
+	case err != nil:
+		code = teleport.HomeDirNotFound
 	}
-	return io.Discard, teleport.RemoteCommandSuccess, nil
+
+	return io.Discard, code, nil
 }
 
 // runPark does nothing, forever.
@@ -1194,10 +1202,42 @@ func copyCommand(ctx *ServerContext, cmdmsg *ExecCommand) {
 	}
 }
 
-// CheckHomeDir checks if the user's home dir exists
+// HasAccessibleHomeDir checks if the given User has access to an existing home directory.
+func HasAccessibleHomeDir(localUser *user.User) error {
+	fi, err := os.Stat(localUser.HomeDir)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	if !fi.IsDir() {
+		return trace.NotFound("user home is not a directory")
+	}
+
+	stat, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return trace.AccessDenied("could not retrieve owner of home directory")
+	}
+
+	uid := strconv.Itoa(int(stat.Uid))
+	gid := strconv.Itoa(int(stat.Gid))
+
+	if uid == localUser.Uid && gid == localUser.Gid {
+		return nil
+	}
+
+	return trace.AccessDenied("user does not own configured home directory")
+}
+
+// CheckHomeDir checks if the user's home dir exists and is accessible. This also handles cases where
+// the home directory isn't visible to the root user, which HasAccessibleHomeDir doesn't account for.
 func CheckHomeDir(localUser *user.User) (bool, error) {
-	if fi, err := os.Stat(localUser.HomeDir); err == nil {
-		return fi.IsDir(), nil
+	err := HasAccessibleHomeDir(localUser)
+	if err == nil {
+		return true, nil
+	}
+
+	if trace.IsAccessDenied(err) {
+		return false, nil
 	}
 
 	// In some environments, the user's home directory exists but isn't visible to
@@ -1229,12 +1269,10 @@ func CheckHomeDir(localUser *user.User) (bool, error) {
 	reexecCommandOSTweaks(cmd)
 
 	if err := cmd.Run(); err != nil {
-		if cmd.ProcessState.ExitCode() == teleport.HomeDirNotFound {
-			return false, nil
-		}
 		return false, trace.Wrap(err)
 	}
-	return true, nil
+
+	return cmd.ProcessState.ExitCode() == teleport.RemoteCommandSuccess, nil
 }
 
 // Spawns a process with the given credentials, outliving the context.

lib/srv/reexec_test.go

@@ -46,6 +46,7 @@ import (
 	"github.com/gravitational/teleport/lib/teleagent"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/lib/utils/host"
+	"github.com/gravitational/trace"
 )
 
 type stubUser struct {
@@ -410,3 +411,45 @@ func testX11Forward(ctx context.Context, t *testing.T, proc *networking.Process,
 	require.NoError(t, err)
 	require.Equal(t, fakeXauthEntry, readXauthEntry)
 }
+
+func TestRootHasAccessibleHomeDir(t *testing.T) {
+	utils.RequireRoot(t)
+
+	uid := 1000
+	gid := 1000
+
+	tmp := t.TempDir()
+	home := filepath.Join(tmp, "home")
+	noAccess := filepath.Join(tmp, "no_access")
+	file := filepath.Join(tmp, "file")
+	notFound := filepath.Join(tmp, "not_found")
+
+	require.NoError(t, os.Mkdir(home, 0700))
+	require.NoError(t, os.Mkdir(noAccess, 0700))
+	_, err := os.Create(file)
+	require.NoError(t, err)
+
+	require.NoError(t, os.Chown(home, uid, gid))
+	require.NoError(t, os.Chown(file, uid, gid))
+
+	testUser := user.User{
+		Uid:     strconv.Itoa(uid),
+		Gid:     strconv.Itoa(gid),
+		HomeDir: home,
+	}
+
+	err = HasAccessibleHomeDir(&testUser)
+	require.NoError(t, err)
+
+	testUser.HomeDir = noAccess
+	err = HasAccessibleHomeDir(&testUser)
+	require.True(t, trace.IsAccessDenied(err))
+
+	testUser.HomeDir = file
+	err = HasAccessibleHomeDir(&testUser)
+	require.True(t, trace.IsNotFound(err))
+
+	testUser.HomeDir = notFound
+	err = HasAccessibleHomeDir(&testUser)
+	require.True(t, trace.IsNotFound(err))
+}

lib/srv/regular/sshserver.go

@@ -1266,7 +1266,7 @@ func (s *Server) HandleNewConn(ctx context.Context, ccx *sshutils.ConnectionCont
 	// Create host user.
 	created, userCloser, err := s.termHandlers.SessionRegistry.UpsertHostUser(identityContext)
 	if err != nil {
-		log.Infof("error while creating host users: %s", err)
+		log.Warnf("error while creating host users: %s", err)
 	}
 
 	// Indicate that the user was created by Teleport.