chore: 安全整改, 修改使用GetConnPID来获取用户的环境变量,改成使用GetConnUID

使用GetConnUID替代GetConnPID来获取调用者的运行环境

Log: 使用GetConnUID替代GetConnPID来获取调用者的运行环境
PMS: TASK-381283
Influence: security

Author: fly602

accounts1/manager_ifc.go

@@ -20,8 +20,6 @@ import (
 	"github.com/linuxdeepin/dde-daemon/accounts1/users"
 	login1 "github.com/linuxdeepin/go-dbus-factory/system/org.freedesktop.login1"
 	"github.com/linuxdeepin/go-lib/dbusutil"
-	"github.com/linuxdeepin/go-lib/gettext"
-	"github.com/linuxdeepin/go-lib/procfs"
 	"github.com/linuxdeepin/go-lib/users/passwd"
 	dutils "github.com/linuxdeepin/go-lib/utils"
 )
@@ -303,19 +301,6 @@ func (m *Manager) IsUsernameValid(sender dbus.Sender, name string) (valid bool,
 		busErr = dbusutil.ToError(err)
 	}()
 
-	pid, err := m.service.GetConnPID(string(sender))
-	if err != nil {
-		return
-	}
-
-	p := procfs.Process(pid)
-	environ, err := p.Environ()
-	if err != nil {
-		return
-	}
-
-	locale := environ.Get("LANG")
-
 	// 如果新建用户使用的用户名和域用户名一致，提示用户该用户已经存在
 	if m.isDomainUserExist(name) {
 		info = checkers.ErrCodeExist.Error()
@@ -328,11 +313,6 @@ func (m *Manager) IsUsernameValid(sender dbus.Sender, name string) (valid bool,
 	}
 
 	msg = info.Error.Error()
-	logger.Debug("locale:", locale)
-	if locale != "" {
-		gettext.SetLocale(gettext.LcAll, locale)
-		msg = gettext.Tr(msg)
-	}
 	code = int32(info.Code)
 	return
 }

accounts1/user.go

@@ -22,7 +22,6 @@ import (
 	glib "github.com/linuxdeepin/go-gir/glib-2.0"
 	"github.com/linuxdeepin/go-lib/dbusutil"
 	"github.com/linuxdeepin/go-lib/gdkpixbuf"
-	"github.com/linuxdeepin/go-lib/procfs"
 	"github.com/linuxdeepin/go-lib/strv"
 	dutils "github.com/linuxdeepin/go-lib/utils"
 )
@@ -276,22 +275,6 @@ func getUserGreeterBackground(kf *glib.KeyFile) (string, bool) {
 	return greeterBg, true
 }
 
-func (u *User) getSenderDBus(sender dbus.Sender) string {
-	pid, err := u.service.GetConnPID(string(sender))
-	if err != nil {
-		logger.Warning(err)
-		return ""
-	}
-	proc := procfs.Process(pid)
-	exe, err := proc.Exe()
-	if err != nil {
-		logger.Warning(err)
-		return ""
-	}
-	logger.Debug(" [getSenderDBus] sender exe : ", exe)
-	return exe
-}
-
 func (u *User) updateIconList() {
 	u.IconList = u.getAllIcons()
 	_ = u.emitPropChangedIconList(u.IconList)

accounts1/user_ifc.go

@@ -1250,27 +1250,25 @@ func (u *User) SetSecretQuestions(sender dbus.Sender, list map[int][]byte) *dbus
 }
 
 func (u *User) SetSecretKey(sender dbus.Sender, secretKey string) *dbus.Error {
-	senderName := u.getSenderDBus(sender)
-	logger.Debugf("[SetSecretKey] sender : %s, senderName : %s, UserName : %s : ", sender, senderName, u.UserName)
-	if !strings.Contains(senderName, controlCenter) {
-		return dbusutil.ToError(errors.New("invalid sender"))
+	err := u.checkAuth(sender, true, polkitActionUserAdministration)
+	if err != nil {
+		return dbusutil.ToError(err)
 	}
 
 	if u.uadpInterface == nil {
 		return nil
 	}
-	err := u.uadpInterface.Set(0, u.UserName, []uint8(secretKey))
+	err = u.uadpInterface.Set(0, u.UserName, []uint8(secretKey))
 	if err != nil {
 		return dbusutil.ToError(err)
 	}
 	return nil
 }
 
 func (u *User) GetSecretKey(sender dbus.Sender, username string) (string, *dbus.Error) {
-	senderName := u.getSenderDBus(sender)
-	logger.Debugf("[GetSecretKey] sender : %s, senderName : %s, UserName : %s : ", sender, senderName, username)
-	if !(strings.Contains(senderName, resetPasswordDia) || strings.Contains(senderName, controlCenter)) {
-		return "", dbusutil.ToError(errors.New("invalid sender"))
+	err := u.checkAuth(sender, true, polkitActionUserAdministration)
+	if err != nil {
+		return "", dbusutil.ToError(err)
 	}
 	if u.uadpInterface == nil {
 		return "", nil
@@ -1283,16 +1281,15 @@ func (u *User) GetSecretKey(sender dbus.Sender, username string) (string, *dbus.
 }
 
 func (u *User) DeleteSecretKey(sender dbus.Sender) *dbus.Error {
-	senderName := u.getSenderDBus(sender)
-	logger.Debugf("[DeleteSecretKey] sender : %s, senderName : %s, UserName : %s : ", sender, senderName, u.UserName)
-	if !strings.Contains(senderName, controlCenter) {
-		return dbusutil.ToError(errors.New("invalid sender"))
+	err := u.checkAuth(sender, true, polkitActionUserAdministration)
+	if err != nil {
+		return dbusutil.ToError(err)
 	}
 
 	if u.uadpInterface == nil {
 		return nil
 	}
-	err := u.uadpInterface.Delete(0, u.UserName)
+	err = u.uadpInterface.Delete(0, u.UserName)
 	if err != nil {
 		return dbusutil.ToError(err)
 	}

dbus/dbus.go

@@ -6,7 +6,9 @@ package dbus
 
 import (
 	"github.com/godbus/dbus/v5"
+	login1 "github.com/linuxdeepin/go-dbus-factory/system/org.freedesktop.login1"
 	"github.com/linuxdeepin/go-lib"
+	"github.com/linuxdeepin/go-lib/dbusutil"
 )
 
 // IsSessionBusActivated check the special session bus name whether activated
@@ -36,3 +38,54 @@ func releaseDBusName(bus *dbus.Conn, name string) {
 		_, _ = bus.ReleaseName(name)
 	}
 }
+
+// GetSessionType 通过 UID 从 login1 获取 session type，比使用 PID 更安全
+// 返回 session type: "x11", "wayland", "tty" 等
+func GetSessionType(service *dbusutil.Service, sender dbus.Sender) (string, error) {
+	// 使用 GetConnUID 替代 GetConnPID，更安全
+	uid, err := service.GetConnUID(string(sender))
+	if err != nil {
+		return "", err
+	}
+
+	// 获取系统总线连接
+	systemConn, err := dbus.SystemBus()
+	if err != nil {
+		return "", err
+	}
+
+	// 创建 login1 Manager
+	loginManager := login1.NewManager(systemConn)
+
+	// 通过 UID 获取用户对象路径
+	userPath, err := loginManager.GetUser(0, uid)
+	if err != nil {
+		return "", err
+	}
+
+	// 创建 User 对象
+	user, err := login1.NewUser(systemConn, userPath)
+	if err != nil {
+		return "", err
+	}
+
+	// 获取用户的 Display session（主要的图形会话）
+	sessionInfo, err := user.Display().Get(0)
+	if err != nil {
+		return "", err
+	}
+
+	// 创建 Session 对象
+	session, err := login1.NewSession(systemConn, sessionInfo.Path)
+	if err != nil {
+		return "", err
+	}
+
+	// 获取 session type (x11, wayland, tty 等)
+	sessionType, err := session.Type().Get(0)
+	if err != nil {
+		return "", err
+	}
+
+	return sessionType, nil
+}

grub2/grub2.go

@@ -18,6 +18,7 @@ import (
 
 	dbus "github.com/godbus/dbus/v5"
 	"github.com/linuxdeepin/dde-daemon/grub_common"
+	accounts "github.com/linuxdeepin/go-dbus-factory/system/org.deepin.dde.accounts1"
 	ofdbus "github.com/linuxdeepin/go-dbus-factory/system/org.freedesktop.dbus"
 	"github.com/linuxdeepin/go-lib/dbusutil"
 	"github.com/linuxdeepin/go-lib/log"
@@ -520,18 +521,21 @@ func (g *Grub2) addModifyTask(task modifyTask) {
 }
 
 func (g *Grub2) getSenderLang(sender dbus.Sender) (string, error) {
-	pid, err := g.service.GetConnPID(string(sender))
+	// 使用 GetConnUID 获取用户 UID
+	uid, err := g.service.GetConnUID(string(sender))
 	if err != nil {
 		return "", err
 	}
 
-	p := procfs.Process(pid)
-	environ, err := p.Environ()
+	// 从 Accounts1 获取用户的 Locale 属性
+	locale, err := getUserLocaleFromAccounts(uid)
 	if err != nil {
-		return "", err
+		logger.Debug("failed to get user locale from Accounts1:", err)
+		// 回退到系统默认 locale
+		return os.Getenv("LANG"), nil
 	}
 
-	return environ.Get("LANG"), nil
+	return locale, nil
 }
 
 func getXEnvWithSender(service *dbusutil.Service, sender dbus.Sender) (map[string]string, error) {
@@ -689,3 +693,35 @@ func setFstartState(state bool) error {
 	}
 	return nil
 }
+
+// getUserLocaleFromAccounts 从 Accounts1 服务获取用户的 Locale 属性
+func getUserLocaleFromAccounts(uid uint32) (string, error) {
+	systemConn, err := dbus.SystemBus()
+	if err != nil {
+		return "", err
+	}
+
+	// 创建 Accounts Manager 对象
+	accountsManager := accounts.NewAccounts(systemConn)
+
+	// 调用 FindUserById 方法获取用户对象路径
+	// 注意：FindUserById 接受 string 类型的 UID
+	userPathStr, err := accountsManager.FindUserById(0, strconv.FormatUint(uint64(uid), 10))
+	if err != nil {
+		return "", err
+	}
+
+	// 创建 User 对象
+	user, err := accounts.NewUser(systemConn, dbus.ObjectPath(userPathStr))
+	if err != nil {
+		return "", err
+	}
+
+	// 获取 Locale 属性
+	locale, err := user.Locale().Get(0)
+	if err != nil {
+		return "", err
+	}
+
+	return locale, nil
+}

grub2/grub2_ifc.go

@@ -10,9 +10,9 @@ import (
 	"strings"
 
 	dbus "github.com/godbus/dbus/v5"
+	ddedbus "github.com/linuxdeepin/dde-daemon/dbus"
 	"github.com/linuxdeepin/dde-daemon/grub_common"
 	"github.com/linuxdeepin/go-lib/dbusutil"
-	"github.com/linuxdeepin/go-lib/procfs"
 )
 
 const (
@@ -53,22 +53,16 @@ func (grub *Grub2) GetSimpleEntryTitles(sender dbus.Sender) (titles []string, bu
 
 func (g *Grub2) GetAvailableGfxmodes(sender dbus.Sender) (gfxModes []string, busErr *dbus.Error) {
 	// 只读操作，无需鉴权
-	pid, err := g.service.GetConnPID(string(sender))
+	sessionType, err := ddedbus.GetSessionType(g.service, sender)
 	if err != nil {
+		logger.Warning("failed to get session type:", err)
 		return nil, dbusutil.ToError(err)
 	}
 
-	p := procfs.Process(pid)
-	envVars, err := p.Environ()
-	if err != nil {
-		return nil, dbusutil.ToError(err)
-	}
-
-	sessionType := envVars.Get("XDG_SESSION_TYPE")
-
-	if sessionType == "wayland" {
+	switch sessionType {
+	case "wayland":
 		logger.Debug("wayland desktop environment, can not acquire output info")
-	} else if sessionType == "x11" {
+	case "x11":
 		g.service.DelayAutoQuit()
 		modes, err := g.getAvailableGfxmodes(sender)
 		if err != nil {
@@ -80,8 +74,8 @@ func (g *Grub2) GetAvailableGfxmodes(sender dbus.Sender) (gfxModes []string, bus
 		for idx, m := range modes {
 			gfxModes[idx] = m.String()
 		}
-	} else {
-		logger.Debug("unkown session type, can not acquire output info")
+	default:
+		logger.Debug("unknown session type, can not acquire output info")
 	}
 
 	return gfxModes, nil