fix(mdm): detect logged-in console user when running as root

Author: shubham-stepsecurity

internal/detector/aicli.go

@@ -196,7 +196,7 @@ func expandTilde(path, homeDir string) string {
 }
 
 func getHomeDir(exec executor.Executor) string {
-	u, err := exec.CurrentUser()
+	u, err := exec.LoggedInUser()
 	if err != nil {
 		return os.TempDir()
 	}

internal/detector/nodescan.go

@@ -3,6 +3,7 @@ package detector
 import (
 	"context"
 	"encoding/base64"
+	"fmt"
 	"os"
 	"path/filepath"
 	"sort"
@@ -30,12 +31,70 @@ func getMaxProjectScanBytes() int64 {
 
 // NodeScanner performs enterprise-mode node scanning (raw output, base64 encoded).
 type NodeScanner struct {
-	exec executor.Executor
-	log  *progress.Logger
+	exec         executor.Executor
+	log          *progress.Logger
+	loggedInUser string // when non-empty and running as root, commands run as this user
 }
 
-func NewNodeScanner(exec executor.Executor, log *progress.Logger) *NodeScanner {
-	return &NodeScanner{exec: exec, log: log}
+func NewNodeScanner(exec executor.Executor, log *progress.Logger, loggedInUser string) *NodeScanner {
+	return &NodeScanner{exec: exec, log: log, loggedInUser: loggedInUser}
+}
+
+// shouldRunAsUser returns true when commands should be delegated to the logged-in user.
+func (s *NodeScanner) shouldRunAsUser() bool {
+	return s.exec.IsRoot() && s.loggedInUser != ""
+}
+
+// runCmd runs a command, delegating to the logged-in user when running as root.
+// This ensures package manager commands use the real user's PATH and config.
+func (s *NodeScanner) runCmd(ctx context.Context, timeout time.Duration, name string, args ...string) (string, string, int, error) {
+	if s.shouldRunAsUser() {
+		ctx, cancel := context.WithTimeout(ctx, timeout)
+		defer cancel()
+		cmd := name
+		for _, a := range args {
+			cmd += " " + a
+		}
+		stdout, err := s.exec.RunAsUser(ctx, s.loggedInUser, cmd)
+		if err != nil {
+			if ctx.Err() == context.DeadlineExceeded {
+				return stdout, "", 124, fmt.Errorf("command timed out after %s", timeout)
+			}
+			return stdout, "", 1, err
+		}
+		return stdout, "", 0, nil
+	}
+	return s.exec.RunWithTimeout(ctx, timeout, name, args...)
+}
+
+// runShellCmd runs a shell command string, delegating to the logged-in user when running as root.
+func (s *NodeScanner) runShellCmd(ctx context.Context, timeout time.Duration, shellCmd string) (string, string, int, error) {
+	if s.shouldRunAsUser() {
+		ctx, cancel := context.WithTimeout(ctx, timeout)
+		defer cancel()
+		stdout, err := s.exec.RunAsUser(ctx, s.loggedInUser, shellCmd)
+		if err != nil {
+			if ctx.Err() == context.DeadlineExceeded {
+				return stdout, "", 124, fmt.Errorf("command timed out after %s", timeout)
+			}
+			return stdout, "", 1, err
+		}
+		return stdout, "", 0, nil
+	}
+	return s.exec.RunWithTimeout(ctx, timeout, "bash", "-c", shellCmd)
+}
+
+// checkPath checks if a binary is available, using the logged-in user's PATH when running as root.
+func (s *NodeScanner) checkPath(ctx context.Context, name string) error {
+	if s.shouldRunAsUser() {
+		path, err := s.exec.RunAsUser(ctx, s.loggedInUser, "which "+name)
+		if err != nil || path == "" {
+			return fmt.Errorf("%s not found in user PATH", name)
+		}
+		return nil
+	}
+	_, err := s.exec.LookPath(name)
+	return err
 }
 
 // ScanGlobalPackages runs npm/yarn/pnpm list -g and returns raw base64-encoded results.
@@ -61,7 +120,7 @@ func (s *NodeScanner) ScanGlobalPackages(ctx context.Context) []model.NodeScanRe
 }
 
 func (s *NodeScanner) scanNPMGlobal(ctx context.Context) (model.NodeScanResult, bool) {
-	if _, err := s.exec.LookPath("npm"); err != nil {
+	if err := s.checkPath(ctx, "npm"); err != nil {
 		return model.NodeScanResult{}, false
 	}
 
@@ -72,7 +131,7 @@ func (s *NodeScanner) scanNPMGlobal(ctx context.Context) (model.NodeScanResult,
 	}
 
 	start := time.Now()
-	stdout, stderr, exitCode, _ := s.exec.RunWithTimeout(ctx, 60*time.Second, "npm", "list", "-g", "--json", "--depth=3")
+	stdout, stderr, exitCode, _ := s.runCmd(ctx, 60*time.Second, "npm", "list", "-g", "--json", "--depth=3")
 	duration := time.Since(start).Milliseconds()
 
 	errMsg := ""
@@ -94,7 +153,7 @@ func (s *NodeScanner) scanNPMGlobal(ctx context.Context) (model.NodeScanResult,
 }
 
 func (s *NodeScanner) scanYarnGlobal(ctx context.Context) (model.NodeScanResult, bool) {
-	if _, err := s.exec.LookPath("yarn"); err != nil {
+	if err := s.checkPath(ctx, "yarn"); err != nil {
 		return model.NodeScanResult{}, false
 	}
 
@@ -128,7 +187,7 @@ func (s *NodeScanner) scanYarnGlobal(ctx context.Context) (model.NodeScanResult,
 }
 
 func (s *NodeScanner) scanPnpmGlobal(ctx context.Context) (model.NodeScanResult, bool) {
-	if _, err := s.exec.LookPath("pnpm"); err != nil {
+	if err := s.checkPath(ctx, "pnpm"); err != nil {
 		return model.NodeScanResult{}, false
 	}
 
@@ -140,7 +199,7 @@ func (s *NodeScanner) scanPnpmGlobal(ctx context.Context) (model.NodeScanResult,
 	globalDir = filepath.Dir(globalDir)
 
 	start := time.Now()
-	stdout, stderr, exitCode, _ := s.exec.RunWithTimeout(ctx, 60*time.Second, "pnpm", "list", "-g", "--json", "--depth=3")
+	stdout, stderr, exitCode, _ := s.runCmd(ctx, 60*time.Second, "pnpm", "list", "-g", "--json", "--depth=3")
 	duration := time.Since(start).Milliseconds()
 
 	errMsg := ""
@@ -308,15 +367,15 @@ func (s *NodeScanner) scanProject(ctx context.Context, projectDir string) model.
 }
 
 func (s *NodeScanner) getVersion(ctx context.Context, binary, flag string) string {
-	stdout, _, _, err := s.exec.RunWithTimeout(ctx, 10*time.Second, binary, flag)
+	stdout, _, _, err := s.runCmd(ctx, 10*time.Second, binary, flag)
 	if err != nil {
 		return "unknown"
 	}
 	return strings.TrimSpace(stdout)
 }
 
 func (s *NodeScanner) getOutput(ctx context.Context, binary string, args ...string) string {
-	stdout, _, _, err := s.exec.RunWithTimeout(ctx, 10*time.Second, binary, args...)
+	stdout, _, _, err := s.runCmd(ctx, 10*time.Second, binary, args...)
 	if err != nil {
 		return ""
 	}

internal/device/device.go

@@ -124,8 +124,8 @@ func getDeveloperIdentity(exec executor.Executor) string {
 			return v
 		}
 	}
-	// Fallback to current username
-	u, err := exec.CurrentUser()
+	// Fallback to logged-in username (detects console user when running as root)
+	u, err := exec.LoggedInUser()
 	if err == nil {
 		return u.Username
 	}

internal/executor/executor.go

@@ -45,6 +45,11 @@ type Executor interface {
 	HomeDir(username string) (string, error)
 	// Glob returns filenames matching a pattern.
 	Glob(pattern string) ([]string, error)
+	// LoggedInUser returns the actual logged-in console user.
+	// When running as root on macOS (e.g., via LaunchDaemon), this detects the
+	// real console user via /dev/console rather than returning root.
+	// Falls back to CurrentUser() when not root or on non-macOS platforms.
+	LoggedInUser() (*user.User, error)
 	// GOOS returns the runtime operating system.
 	GOOS() string
 }
@@ -131,6 +136,33 @@ func (r *Real) Glob(pattern string) ([]string, error) {
 	return filepath.Glob(pattern)
 }
 
+func (r *Real) LoggedInUser() (*user.User, error) {
+	if runtime.GOOS != "darwin" || !r.IsRoot() {
+		return r.CurrentUser()
+	}
+
+	// On macOS running as root, detect the console user.
+	// This mirrors the bash script's get_logged_in_user_info() which uses
+	// stat -f%Su /dev/console to find who is actually logged in.
+	ctx := context.Background()
+	stdout, _, _, err := r.Run(ctx, "stat", "-f%Su", "/dev/console")
+	if err != nil {
+		return r.CurrentUser()
+	}
+
+	username := strings.TrimSpace(stdout)
+	if username == "" || username == "root" || username == "_windowserver" {
+		return r.CurrentUser()
+	}
+
+	u, err := user.Lookup(username)
+	if err != nil {
+		return r.CurrentUser()
+	}
+
+	return u, nil
+}
+
 func (r *Real) GOOS() string {
 	return runtime.GOOS
 }

internal/executor/mock.go

@@ -267,6 +267,10 @@ func (m *Mock) Glob(pattern string) ([]string, error) {
 	return nil, nil
 }
 
+func (m *Mock) LoggedInUser() (*user.User, error) {
+	return m.CurrentUser()
+}
+
 func (m *Mock) GOOS() string {
 	m.mu.RLock()
 	defer m.mu.RUnlock()

internal/launchd/launchd.go

@@ -68,12 +68,24 @@ func Install(exec executor.Executor, log *progress.Logger) error {
 		}
 	}
 
+	// Resolve the real user's home directory for the plist.
+	// When running as root (LaunchDaemon), launchd provides a minimal environment
+	// without HOME, so os.UserHomeDir() would fail at runtime. We detect the
+	// logged-in console user now and bake their HOME into the plist.
+	userHome := ""
+	if exec.IsRoot() {
+		if u, err := exec.LoggedInUser(); err == nil {
+			userHome = u.HomeDir
+		}
+	}
+
 	// Generate plist
 	plistData := plistTemplateData{
 		Label:           label,
 		BinaryPath:      binaryPath,
 		IntervalSeconds: intervalSeconds,
 		LogDir:          logDir,
+		UserHome:        userHome,
 	}
 
 	f, err := os.Create(plistPath)
@@ -163,6 +175,7 @@ type plistTemplateData struct {
 	BinaryPath      string
 	IntervalSeconds int
 	LogDir          string
+	UserHome        string // non-empty when running as root; baked into plist as HOME env var
 }
 
 const plistTmpl = `<?xml version="1.0" encoding="UTF-8"?>
@@ -179,7 +192,12 @@ const plistTmpl = `<?xml version="1.0" encoding="UTF-8"?>
     <key>StartInterval</key>
     <integer>{{.IntervalSeconds}}</integer>
     <key>RunAtLoad</key>
-    <false/>
+    <false/>{{if .UserHome}}
+    <key>EnvironmentVariables</key>
+    <dict>
+        <key>HOME</key>
+        <string>{{.UserHome}}</string>
+    </dict>{{end}}
     <key>StandardOutPath</key>
     <string>{{.LogDir}}/agent.log</string>
     <key>StandardErrorPath</key>

internal/progress/progress.go

@@ -35,13 +35,15 @@ func (l *Logger) Progress(format string, args ...any) {
 	if l.quiet {
 		return
 	}
-	fmt.Fprintf(os.Stderr, "\033[2m[scanning]\033[0m %s\n", fmt.Sprintf(format, args...))
+	ts := time.Now().Format("2006-01-02 15:04:05")
+	fmt.Fprintf(os.Stderr, "\033[2m%s [scanning]\033[0m %s\n", ts, fmt.Sprintf(format, args...))
 }
 
 // Error always prints to stderr regardless of quiet mode.
 // Format: [error] message
 func (l *Logger) Error(format string, args ...any) {
-	fmt.Fprintf(os.Stderr, "\033[0;31m[error]\033[0m %s\n", fmt.Sprintf(format, args...))
+	ts := time.Now().Format("2006-01-02 15:04:05")
+	fmt.Fprintf(os.Stderr, "%s \033[0;31m[error]\033[0m %s\n", ts, fmt.Sprintf(format, args...))
 }
 
 // StepStart begins a labeled progress step with a spinner.

internal/scan/scanner.go

@@ -140,7 +140,7 @@ func resolveSearchDirs(exec executor.Executor, dirs []string) []string {
 	resolved := make([]string, 0, len(dirs))
 	for _, d := range dirs {
 		if d == "$HOME" {
-			u, err := exec.CurrentUser()
+			u, err := exec.LoggedInUser()
 			if err == nil {
 				d = u.HomeDir
 			}

internal/telemetry/telemetry.go

@@ -103,6 +103,12 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 	log.Progress("OS Version: %s", dev.OSVersion)
 	log.Progress("Developer: %s", dev.UserIdentity)
 
+	// Detect logged-in user for running commands as the real user when root
+	loggedInUsername := ""
+	if loggedInUser, err := exec.LoggedInUser(); err == nil {
+		loggedInUsername = loggedInUser.Username
+	}
+
 	// Resolve search dirs
 	searchDirs := resolveSearchDirs(exec, cfg.SearchDirs)
 	fmt.Fprintln(os.Stderr)
@@ -201,7 +207,7 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 		fmt.Fprintln(os.Stderr)
 
 		log.Progress("Scanning globally installed packages...")
-		nodeScanner := detector.NewNodeScanner(exec, log)
+		nodeScanner := detector.NewNodeScanner(exec, log, loggedInUsername)
 		globalPkgs = nodeScanner.ScanGlobalPackages(ctx)
 		log.Progress("  Found %d global package location(s)", len(globalPkgs))
 		fmt.Fprintln(os.Stderr)
@@ -375,7 +381,7 @@ func resolveSearchDirs(exec executor.Executor, dirs []string) []string {
 	resolved := make([]string, 0, len(dirs))
 	for _, d := range dirs {
 		if d == "$HOME" {
-			u, err := exec.CurrentUser()
+			u, err := exec.LoggedInUser()
 			if err == nil {
 				d = u.HomeDir
 			}