fix: enforce polkit auth and prevent chpasswd injection

caixr23 · caixr23 · commit 9c4ea616211a · 2026-05-22T16:47:12.000+08:00
1. SetPassword now requires polkitActionUserAdministration
   instead of empty action, fixing a permission bypass
2. ModifyPasswd rejects password hashes containing \n\r:
   to prevent chpasswd stdin injection

Log: password change requires admin authentication

Influence:
1. non-admin user should be denied when calling DBus
   SetPassword
2. password hash containing newline or colon should
   return error

fix: 修改密码需鉴权并防止 chpasswd 注入

1. SetPassword 改为需要 polkitActionUserAdministration 鉴权，
   修复空 action 导致的权限绕过
2. ModifyPasswd 拒绝包含 \n\r: 的密码哈希，
   防止通过 chpasswd stdin 注入额外记录

Log: 修改密码需要管理员鉴权，防止未授权修改

Influence:
1. 非管理员用户尝试通过 DBus SetPassword 修改密码应被拒绝
2. 验证密码哈希包含换行或冒号时返回错误
diff --git a/accounts1/user_ifc.go b/accounts1/user_ifc.go
@@ -122,8 +122,8 @@ func (u *User) SetPassword(sender dbus.Sender, password string) *dbus.Error {
 	if password == "" {
 		return nil
 	}
-
-	err := u.checkAuth(sender, false, "")
+	// 修改密码，一律需要鉴权管理员
+	err := u.checkAuth(sender, false, polkitActionUserAdministration)
 	if err != nil {
 		logger.Debug("[SetPassword] access denied:", err)
 		return dbusutil.ToError(err)
diff --git a/accounts1/users/prop.go b/accounts1/users/prop.go
@@ -161,6 +161,10 @@ func ModifyPasswd(words, username string) error {
 	if len(words) == 0 {
 		return errInvalidParam
 	}
+	// 防止命令注入
+	if strings.ContainsAny(words, "\n\r") {
+		return errInvalidParam
+	}
 
 	cmd := exec.Command(pwdCmdModify, "-e")
 	input := fmt.Sprintf("%s:%s\n", username, words)
