Skip to content

fix(workspace): Allow /var/home workspaces#1199

Closed
frap129 wants to merge 1 commit intonesquena:masterfrom
frap129:fix/atomic-home-again
Closed

fix(workspace): Allow /var/home workspaces#1199
frap129 wants to merge 1 commit intonesquena:masterfrom
frap129:fix/atomic-home-again

Conversation

@frap129
Copy link
Copy Markdown
Contributor

@frap129 frap129 commented Apr 28, 2026

Removes the pointless guard on home path checks to make /var/home and other alternate home paths work as workspaces. I just fixed this in #1165 and it was almost immediately broken.

@nesquena-hermes nesquena-hermes mentioned this pull request Apr 28, 2026
Merged
nesquena-hermes added a commit that referenced this pull request Apr 28, 2026
@nesquena-hermes @frap129
fix(workspace): Allow /var/home workspaces (#1199)
1f07d3d 
fix(workspace): Allow /var/home workspaces (#1199)

Carries code from @frap129's PR #1199. On systemd-homed (Fedora/RHEL),
home lives under /var/home/<user> — blocked by _is_blocked_system_path
because /var is in the blocked roots list. Fix: trust any path under
Path.home() as long as home != /. Also adds symmetric early-return
in validate_workspace_to_add.

2764 tests pass.

Co-authored-by: Joe Maples <[email protected]>
@nesquena-hermes
Copy link
Copy Markdown
Collaborator

nesquena-hermes commented Apr 28, 2026

Merged via integration branch #1200 as v0.50.233. Thanks @frap129!

@nesquena-hermes nesquena-hermes added bug Something isn't working workspace Workspace panel, file browser, preview labels Apr 28, 2026
@nesquena-hermes
Copy link
Copy Markdown
Collaborator

nesquena-hermes commented Apr 28, 2026

Root cause confirmed: on systemd-homed Fedora/RHEL, Path.home() resolves to /var/home/username. The _is_blocked_system_path() guard correctly blocks /var as a system root, but /var/home/username is the user's actual home — the guard should never fire for HOME itself, only for paths outside home.

The fix is correct: removing not _is_blocked_system_path(_home) from the _home_is_sane check in resolve_trusted_workspace, and adding an explicit _is_within(candidate, _home) early return in validate_workspace_to_add before the system path check runs. Home is always trusted regardless of where /var/home physically lives.

This is a clean, targeted fix — low risk, affects only Fedora/RHEL systemd-homed users. Labelled bug + workspace, review requested.

JKJameson pushed a commit to JKJameson/hermes-webui that referenced this pull request Apr 29, 2026
@nesquena-hermes @frap129
fix(workspace): Allow /var/home workspaces (nesquena#1199)
80ea9c3 
fix(workspace): Allow /var/home workspaces (nesquena#1199)

Carries code from @frap129's PR nesquena#1199. On systemd-homed (Fedora/RHEL),
home lives under /var/home/<user> — blocked by _is_blocked_system_path
because /var is in the blocked roots list. Fix: trust any path under
Path.home() as long as home != /. Also adds symmetric early-return
in validate_workspace_to_add.

2764 tests pass.

Co-authored-by: Joe Maples <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nesquena nesquena Awaiting requested review from nesquena

Assignees

No one assigned

Labels

bug Something isn't working workspace Workspace panel, file browser, preview

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@frap129 @nesquena-hermes