From: Theo de Raadt <deraadt@cvs.openbsd.org>
Subject: Re: bin/ksh: add bash-like expand-tilde option
To: kirill@korins.ky, tech@openbsd.org
Date: Sat, 25 Apr 2026 04:21:39 -0600

I am going to argue that the existing behaviour of converting ~username
to the expanded form immediately is a TOCTOU.  It works like this:

1. user types a partial command with some ~otheruser form that gets expanded,
   but does not complete the command yet

2. In a different session, root changes that otheruser's homedir or even
   deletes the user

3. The original user completes their command and types <return>

What happens next is an action that depended on incorrect early conversion.
An expansion of ~otheru into ~otheruser is one thing which needs to be done
immediately, but the translation into correct pw_dir could be done as a seperate
step.  I guess it is a question of whether atomic single-lookup is desireable,
or if reaching the correct user->pw_dir is better.

The visual improvement of keeping it in ~ format since that is what the user
typed and avoids surprise, makes me prefer always keeping this in ~ visual
format.

I really dislike optional code which people will or won't use.