Relax mkdir/rchown subpath of home check to owns a parent dir

"the user owns a parent directory" is a lot less strict than
being under the home directory, but allows using shared directories
that are not mounted under home, and at least requires some explicit config
to create the directory before it can be used
rather than just being any directory the user is able to create.

diff --git a/mkosi/user.py b/mkosi/user.py
index f22649b5c3b6fd7062068954130ee2611f948271..34a9a8a7a6639d3fad9bbb541fdefeb84eb0ba28 100644 (file)
--- a/mkosi/user.py
+++ b/mkosi/user.py
@@ -68,7 +68,10 @@ class INVOKING_USER:
 
     @classmethod
     def mkdir(cls, path: Path) -> Path:
-        cond = not cls.invoked_as_root or (cls.is_regular_user() and path.is_relative_to(cls.home()))
+        cond = (
+            not cls.invoked_as_root or
+            (cls.is_regular_user() and any(p.exists() and p.stat().st_uid == cls.uid for p in path.parents))
+        )
         run(
             ["mkdir", "--parents", path],
             user=cls.uid if cond else os.getuid(),
@@ -79,7 +82,7 @@ class INVOKING_USER:
 
     @classmethod
     def rchown(cls, path: Path) -> None:
-        if cls.is_regular_user() and path.is_relative_to(INVOKING_USER.home()) and path.exists():
+        if cls.is_regular_user() and any(p.stat().st_uid == cls.uid for p in path.parents) and path.exists():
             run(["chown", "--recursive", f"{INVOKING_USER.uid}:{INVOKING_USER.gid}", path])