1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

use std::path::Path;

#[derive(PartialEq, Eq, Debug, Hash, Ord, PartialOrd, Clone)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
/// An account based identity
pub struct Account {
    /// The user's name
    pub username: String,
    /// The user's password
    pub password: String,
}

/// Returns true if the given `path` is owned by the user who is executing the current process.
///
/// Note that this method is very specific to avoid having to deal with any operating system types.
pub fn is_path_owned_by_current_user(path: impl AsRef<Path>) -> std::io::Result<bool> {
    impl_::is_path_owned_by_current_user(path)
}

#[cfg(not(windows))]
mod impl_ {
    use std::path::Path;

    pub fn is_path_owned_by_current_user(path: impl AsRef<Path>) -> std::io::Result<bool> {
        fn owner_from_path(path: impl AsRef<Path>) -> std::io::Result<u32> {
            use std::os::unix::fs::MetadataExt;
            let meta = std::fs::symlink_metadata(path)?;
            Ok(meta.uid())
        }

        fn owner_of_current_process() -> std::io::Result<u32> {
            // SAFETY: there is no documented possibility for failure
            #[allow(unsafe_code)]
            let uid = unsafe { libc::geteuid() };
            Ok(uid)
        }
        use std::str::FromStr;

        let owner_of_path = owner_from_path(path)?;
        let owner_of_process = owner_of_current_process()?;
        if owner_of_path == owner_of_process {
            Ok(true)
        } else if let Some(sudo_uid) =
            std::env::var_os("SUDO_UID").and_then(|val| val.to_str().and_then(|val_str| u32::from_str(val_str).ok()))
        {
            Ok(owner_of_path == sudo_uid)
        } else {
            Ok(false)
        }
    }
}

#[cfg(windows)]
mod impl_ {
    use std::path::Path;

    fn err(msg: impl Into<String>) -> std::io::Error {
        std::io::Error::new(std::io::ErrorKind::Other, msg.into())
    }

    pub fn is_path_owned_by_current_user(path: impl AsRef<Path>) -> std::io::Result<bool> {
        use windows::{
            core::{Error, PCWSTR},
            Win32::{
                Foundation::{CloseHandle, BOOL, HANDLE, HLOCAL, PSID},
                Security::{
                    Authorization::{GetNamedSecurityInfoW, SE_FILE_OBJECT},
                    CheckTokenMembership, EqualSid, GetTokenInformation, IsWellKnownSid, TokenOwner,
                    WinBuiltinAdministratorsSid, OWNER_SECURITY_INFORMATION, PSECURITY_DESCRIPTOR, TOKEN_OWNER,
                    TOKEN_QUERY,
                },
                System::{
                    Memory::LocalFree,
                    Threading::{GetCurrentProcess, GetCurrentThread, OpenProcessToken, OpenThreadToken},
                },
            },
        };

        let mut err_msg = None;
        let mut is_owned = false;
        let path = path.as_ref();

        if !path.exists() {
            return Err(std::io::Error::new(
                std::io::ErrorKind::NotFound,
                format!("{:?} does not exist.", path),
            ));
        }

        // Home is not actually owned by the corresponding user
        // but it can be considered de-facto owned by the user
        // Ignore errors here and just do the regular checks below
        if gix_path::realpath(path).ok() == gix_path::env::home_dir() {
            return Ok(true);
        }

        #[allow(unsafe_code)]
        unsafe {
            let mut folder_owner = PSID::default();
            let mut pdescriptor = PSECURITY_DESCRIPTOR::default();
            let result = GetNamedSecurityInfoW(
                PCWSTR(to_wide_path(path).as_ptr()),
                SE_FILE_OBJECT,
                OWNER_SECURITY_INFORMATION,
                Some(&mut folder_owner),
                None,
                None,
                None,
                &mut pdescriptor,
            );

            // Workaround for https://github.com/microsoft/win32metadata/issues/884
            if result.is_ok() {
                let mut token = HANDLE::default();
                // Use the current thread token if possible, otherwise open the process token
                OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, true, &mut token)
                    .ok()
                    .or_else(|_| OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &mut token).ok())?;

                let mut buffer_size = 0;
                let mut buffer = Vec::<u8>::new();
                GetTokenInformation(token, TokenOwner, None, 0, &mut buffer_size);
                if buffer_size != 0 {
                    buffer.resize(buffer_size as usize, 0);
                    if GetTokenInformation(
                        token,
                        TokenOwner,
                        Some(buffer.as_mut_ptr() as *mut std::ffi::c_void),
                        buffer_size,
                        &mut buffer_size,
                    )
                    .as_bool()
                    {
                        let token_owner = buffer.as_ptr() as *const TOKEN_OWNER;
                        let token_owner = (*token_owner).Owner;

                        is_owned = EqualSid(folder_owner, token_owner).as_bool();

                        // Admin-group owned folders are considered owned by the current user, if they are in the admin group
                        if !is_owned && IsWellKnownSid(token_owner, WinBuiltinAdministratorsSid).as_bool() {
                            let mut is_member = BOOL::default();
                            // TODO: re-use the handle
                            match CheckTokenMembership(HANDLE::default(), token_owner, &mut is_member).ok() {
                                Err(e) => err_msg = Some(format!("Couldn't check if user is an administrator: {}", e)),
                                Ok(()) => is_owned = is_member.as_bool(),
                            }
                        }
                    } else {
                        err_msg = format!(
                            "Couldn't get actual token information for current process with err: {}",
                            Error::from_win32()
                        )
                        .into();
                    }
                } else {
                    err_msg = format!(
                        "Couldn't get token information size info for current process with err: {}",
                        Error::from_win32()
                    )
                    .into();
                }
                CloseHandle(token);
            } else {
                err_msg = format!(
                    "Couldn't get security information for path '{}' with err {}",
                    path.display(),
                    Error::from_win32()
                )
                .into();
            }
            LocalFree(HLOCAL(pdescriptor.0 as isize)).ok();
        }

        err_msg.map(|msg| Err(err(msg))).unwrap_or(Ok(is_owned))
    }

    fn to_wide_path(path: impl AsRef<Path>) -> Vec<u16> {
        use std::os::windows::ffi::OsStrExt;
        let mut wide_path: Vec<_> = path.as_ref().as_os_str().encode_wide().collect();
        wide_path.push(0);
        wide_path
    }
}