dotnet · wli3 · Sep 17, 2021 · Sep 10, 2021 · Sep 14, 2021 · Sep 15, 2021
diff --git a/src/Cli/dotnet/StatInterop.cs b/src/Cli/dotnet/StatInterop.cs
@@ -0,0 +1,73 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.DotNet.Cli
+{
+    // https://github.com/dotnet/runtime/blob/main/src/libraries/Common/src/Interop/Unix/System.Native/Interop.Stat.cs
+
+    internal static class StatInterop
+    {
+        // Even though csc will by default use a sequential layout, a CS0649 warning as error
+        // is produced for un-assigned fields when no StructLayout is specified.
+        //
+        // Explicitly saying Sequential disables that warning/error for consumers which only
+        // use Stat in debug builds.
+        [StructLayout(LayoutKind.Sequential)]
+        internal struct FileStatus
+        {
+            internal FileStatusFlags Flags;
+            internal int Mode;
+            internal uint Uid;
+            internal uint Gid;
+            internal long Size;
+            internal long ATime;
+            internal long ATimeNsec;
+            internal long MTime;
+            internal long MTimeNsec;
+            internal long CTime;
+            internal long CTimeNsec;
+            internal long BirthTime;
+            internal long BirthTimeNsec;
+            internal long Dev;
+            internal long Ino;
+            internal uint UserFlags;
+        }
+
+        [Flags]
+        internal enum Permissions
+        {
+            Mask = S_IRWXU | S_IRWXG | S_IRWXO,
+
+            S_IRWXU = S_IRUSR | S_IWUSR | S_IXUSR,
+            S_IRUSR = 0x100,
+            S_IWUSR = 0x80,
+            S_IXUSR = 0x40,
+
+            S_IRWXG = S_IRGRP | S_IWGRP | S_IXGRP,
+            S_IRGRP = 0x20,
+            S_IWGRP = 0x10,
+            S_IXGRP = 0x8,
+
+            S_IRWXO = S_IROTH | S_IWOTH | S_IXOTH,
+            S_IROTH = 0x4,
+            S_IWOTH = 0x2,
+            S_IXOTH = 0x1,
+
+            S_IXUGO = S_IXUSR | S_IXGRP | S_IXOTH,
+        }
+
+        [Flags]
+        internal enum FileStatusFlags
+        {
+            None = 0,
+            HasBirthTime = 1,
+        }
+
+        [DllImport("libSystem.Native", EntryPoint = "SystemNative_LStat", SetLastError = true)]
+        internal static extern int LStat(string path, out FileStatus output);
+    }
+}
diff --git a/src/Cli/dotnet/SudoEnvironmentDirectoryOverride.cs b/src/Cli/dotnet/SudoEnvironmentDirectoryOverride.cs
@@ -4,6 +4,11 @@
 using System;
 using System.CommandLine.Parsing;
 using System.IO;
+using System.Linq;
+using Microsoft.DotNet.Cli.Utils;
+using Microsoft.DotNet.Tools.Common;
+using NuGet.Common;
+using NuGet.Configuration;
 
 namespace Microsoft.DotNet.Cli
 {
@@ -32,12 +37,100 @@ public static void OverrideEnvironmentVariableToTmp(ParseResult parseResult)
         {
             if (!OperatingSystem.IsWindows() && IsRunningUnderSudo() && IsRunningWorkloadCommand(parseResult))
             {
+                if (!TempHomeIsOnlyRootWritable(SudoHomeDirectory))
+                {
+                    try
+                    {
+                        Directory.Delete(SudoHomeDirectory, recursive: true);
+                    }
+                    catch (DirectoryNotFoundException)
+                    {
+                        // Avoid read after write race condition
+                    }
+                }
+
                 Directory.CreateDirectory(SudoHomeDirectory);
+
+                var homeBeforeOverride = Path.Combine(Environment.GetEnvironmentVariable("HOME"));
                 Environment.SetEnvironmentVariable("HOME", SudoHomeDirectory);
+
+                CopyUserNuGetConfigToOverriddenHome(homeBeforeOverride);
+            }
+        }
+
+        /// <summary>
+        /// To make NuGet honor the user's NuGet config file.
+        /// Copying instead of using the file directoy to avoid existing file being set higher permission
+        /// Try to delete the existing NuGet config file in "/tmp/dotnet_sudo_home/"
+        /// to avoid different user's NuGet config getting mixed.
+        /// </summary>
+        private static void CopyUserNuGetConfigToOverriddenHome(string homeBeforeOverride)
+        {
+            // https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Common/PathUtil/NuGetEnvironment.cs#L139
+            // home is cache in NuGet we cannot directly use the call
+            var userSettingsDir = Path.Combine(homeBeforeOverride, ".nuget", "NuGet");
+
+            string userNuGetConfig = Settings.OrderedSettingsFileNames
+                .Select(fileName => Path.Combine(userSettingsDir, fileName))
+                .FirstOrDefault(f => File.Exists(f));
+
+            var overridenSettingsDir = NuGetEnvironment.GetFolderPath(NuGetFolderPath.UserSettingsDirectory);
+            var overridenNugetConfig = Path.Combine(overridenSettingsDir, Settings.DefaultSettingsFileName);
+
+            if (File.Exists(overridenNugetConfig))
+            {
+                try
+                {
+                    FileAccessRetrier.RetryOnIOException(
+                        () => File.Delete(overridenNugetConfig));
+                }
+                catch
+                {
+                    // best effort to remove
+                }
+            }
+
+            if (userNuGetConfig != default)
+            {
+                try
+                {
+                    FileAccessRetrier.RetryOnIOException(
+                        () => File.Copy(userNuGetConfig, overridenNugetConfig, overwrite: true));
+                }
+                catch
+                {
+                    // best effort to copy
+                }
             }
         }
 
         private static bool IsRunningWorkloadCommand(ParseResult parseResult) =>
             parseResult.RootSubCommandResult() == (WorkloadCommandParser.GetCommand().Name);
+
+        private static bool TempHomeIsOnlyRootWritable(string path)
+        {
+            if (StatInterop.LStat(path, out StatInterop.FileStatus fileStat) != 0)
+            {
+                return false;
+            }
+
+            return IsOwnedByRoot(fileStat) && GroupCannotWrite(fileStat) &&
+                   OtherUserCannotWrite(fileStat);
+        }
+
+        private static bool OtherUserCannotWrite(StatInterop.FileStatus fileStat)
+        {
+            return (fileStat.Mode & (int) StatInterop.Permissions.S_IWOTH) == 0;
+        }
+
+        private static bool GroupCannotWrite(StatInterop.FileStatus fileStat)
+        {
+            return (fileStat.Mode & (int) StatInterop.Permissions.S_IWGRP) == 0;
+        }
+
+        private static bool IsOwnedByRoot(StatInterop.FileStatus fileStat)
+        {
+            return fileStat.Uid == 0;
+        }
     }
 }