From 550b7ea326965a5c6f67810abb8dde1660e2a236 Mon Sep 17 00:00:00 2001
From: gcorrall <4834451+gcorrall@users.noreply.github.com>
Date: Thu, 30 Oct 2025 20:38:50 +0000
Subject: [PATCH] Fix race condition in ReadHome

Re-use the original filehandle when reading homePolicyPath to avoid a
'Time-of-check to time-of-use' race condition.

Signed-off-by: gcorrall <4834451+gcorrall@users.noreply.github.com>
---
 commands/readhome.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/commands/readhome.go b/commands/readhome.go
index 0c23742e..f0431b97 100644
--- a/commands/readhome.go
+++ b/commands/readhome.go
@@ -21,6 +21,7 @@ package commands
 import (
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -83,7 +84,7 @@ func ReadHome(username string) ([]byte, error) {
 		if fileInfo.Mode().Perm() != files.ModeHomePerms {
 			return nil, fmt.Errorf("unsafe file permissions for %s got %o expected %o", homePolicyPath, fileInfo.Mode().Perm(), files.ModeHomePerms)
 		}
-		fileBytes, err := os.ReadFile(homePolicyPath)
+		fileBytes, err := io.ReadAll(file)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read %s, %v", homePolicyPath, err)
 		}