Set HOME environment variable for runs-as user

Summary:
Fixes build issues around home permissions by setting `HOME` to the
unprivileged user's home directory once the "privileges dropped" build
phase has been reached.

Test Plan: Run `go test ./...`.

Reviewers: thcipriani, mobrovac, hashar, Jrbranaa, mmodell, #release-engineering-team

Reviewed By: mobrovac

Tags: #release-engineering-team

Differential Revision: https://phabricator.wikimedia.org/D686

1 files changed, 16 insertions, 12 deletions

diff --git a/config/runs.go b/config/runs.go
index f2756a5..7567685 100644
--- a/config/runs.go
+++ b/config/runs.go
@@ -25,25 +25,29 @@ func (run RunsConfig) InstructionsForPhase(phase build.Phase) []build.Instructio
 	switch phase {
 	case build.PhasePrivileged:
 		if run.In != "" {
-			ins = append(ins, []build.Instruction{{build.Run, []string{"mkdir -p ", run.In}}}...)
+			ins = append(ins, build.Instruction{build.Run, []string{"mkdir -p ", run.In}})
 		}
 
 		if run.As != "" {
-			ins = append(ins, []build.Instruction{
-				{build.Run, []string{
-					"groupadd -o -g ", strconv.Itoa(run.Gid), " -r ", run.As, " && ",
-					"useradd -o -m -r -g ", run.As, " -u ", strconv.Itoa(run.Uid), " ", run.As,
-				}},
-			}...)
+			ins = append(ins, build.Instruction{build.Run, []string{
+				"groupadd -o -g ", strconv.Itoa(run.Gid), " -r ", run.As, " && ",
+				"useradd -o -m -d /home/", run.As, " -r -g ", run.As,
+				" -u ", strconv.Itoa(run.Uid), " ", run.As,
+			}})
 
 			if run.In != "" {
-				ins = append(ins, []build.Instruction{
-					{build.Run, []string{
-						"chown ", run.As, ":", run.As, " ", run.In,
-					}},
-				}...)
+				ins = append(ins, build.Instruction{build.Run, []string{
+					"chown ", run.As, ":", run.As, " ", run.In,
+
+				}})
 			}
 		}
+	case build.PhasePrivilegeDropped:
+		if run.As != "" {
+			ins = append(ins, build.Instruction{build.Env, []string{
+				"HOME=\"/home/" + run.As + "\"",
+			}})
+		}
 	}
 
 	return ins