blueprint: sanitize user home directories

If a home directory has a trailing slash, the `useradd` command fails to set the correct selinux contexts for the home directory on creation. This can lead to various issues, but the one that we came across was that the ~/.ssh directory and authorized_keys file cannot be read by sshd and we couldn't log in to the system. This only manifests if the user is created through the kickstart file because: 1. `useradd` does not set the selinux contexts when creating the directory 2. Anaconda runs `restorecon` on the home directory and authorized_keys file when it creates them, but uses the install-time mount path `/mnt/sysroot/...` for which selinux does not have contexts. In most cases we get around this bug because we run `setfiles` on the tree at the end of our pipelines. For the ostree case, the relabeling in Anaconda is done correctly.
2022-03-26 14:33:54 +01:00 · 2022-03-26 14:33:54 +01:00 · f2849e2165
commit f2849e2165
parent 15a135fcbb
1 changed files with 14 additions and 1 deletions
--- a/internal/blueprint/customizations.go
+++ b/internal/blueprint/customizations.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
+	"strings"

 	"github.com/osbuild/osbuild-composer/internal/common"
 )
@ -249,7 +250,19 @@ func (c *Customizations) GetUsers() []UserCustomization {
 		}
 	}

-	return append(users, c.User...)
+	users = append(users, c.User...)
+
+	// sanitize user home directory in blueprint: if it has a trailing slash,
+	// it might lead to the directory not getting the correct selinux labels
+	for idx := range users {
+		u := users[idx]
+		if u.Home != nil {
+			homedir := strings.TrimRight(*u.Home, "/")
+			u.Home = &homedir
+			users[idx] = u
+		}
+	}
+	return users
 }

 func (c *Customizations) GetGroups() []GroupCustomization {