diff --git a/service/diskmanagerservice.cpp b/service/diskmanagerservice.cpp index 9a5bc1e..f8ef2db 100644 --- a/service/diskmanagerservice.cpp +++ b/service/diskmanagerservice.cpp @@ -152,7 +152,12 @@ bool DiskManagerService::mount(const QString &mountpath) return false; } - QString invokerUid = QString::number(connection().interface()->serviceUid(message().service()).value()); + QDBusReply uidReply = connection().interface()->serviceUid(message().service()); + if (!uidReply.isValid()) { + qWarning() << "Failed to get invoker UID for mount, refusing operation"; + return false; + } + QString invokerUid = QString::number(uidReply.value()); return m_partedcore->mountAndWriteFstab(mountpath, invokerUid); } @@ -502,16 +507,25 @@ bool DiskManagerService::checkAuthorization(void) QString actionId("com.deepin.pkexec.deepin-diskmanager"); QString serviceName = message().service(); - if (serviceName == m_frontEndDBusName || - connection().interface()->serviceUid(serviceName).value() == 0 || - PolicyKitHelper::instance()->checkAuthorization(actionId, serviceName)) { - qDebug() << "Authorization granted for service:" << serviceName; + if (serviceName == m_frontEndDBusName) { + qDebug() << "Authorization granted for frontend:" << serviceName; + return true; + } + + QDBusReply uidReply = connection().interface()->serviceUid(serviceName); + if (uidReply.isValid() && uidReply.value() == 0) { + qDebug() << "Authorization granted for root user"; return true; - } else { - qWarning() << "Authorization denied for service:" << serviceName; - sendErrorReply(QDBusError::AccessDenied); - return false; } + + if (PolicyKitHelper::instance()->checkAuthorization(actionId, serviceName)) { + qDebug() << "Authorization granted via Polkit for service:" << serviceName; + return true; + } + + qWarning() << "Authorization denied for service:" << serviceName; + sendErrorReply(QDBusError::AccessDenied); + return false; #endif } diff --git a/service/diskoperation/filesystems/btrfs.cpp b/service/diskoperation/filesystems/btrfs.cpp index 76732e2..d54562d 100644 --- a/service/diskoperation/filesystems/btrfs.cpp +++ b/service/diskoperation/filesystems/btrfs.cpp @@ -386,12 +386,7 @@ double Btrfs::btrfsSize2Double(QString &str) double num = numStr.toDouble(); int index = str.indexOf(numStr); int pos = index + numStr.length(); - if (pos < str.length()) { - qDebug() << "pos < str.length()"; - char unit = str.at(pos).toLatin1(); - - } - char unit = str.at(pos).toLatin1(); + char unit = (pos < str.length()) ? str.at(pos).toLatin1() : '\0'; Byte_Value mult; switch (unit) { case 'K': mult = KIBIBYTE ; break ; diff --git a/service/diskoperation/luksoperator/luksoperator.cpp b/service/diskoperation/luksoperator/luksoperator.cpp index 5aaab46..f215407 100644 --- a/service/diskoperation/luksoperator/luksoperator.cpp +++ b/service/diskoperation/luksoperator/luksoperator.cpp @@ -6,6 +6,7 @@ #include "luksoperator.h" #include "../fsinfo.h" #include +#include #include #include #include @@ -668,6 +669,7 @@ bool LUKSOperator::wirteCrypttab(LUKS_INFO &luksInfo, bool isMount) qDebug() << "open /etc/crypttab failed, return false"; return false; } + QFileDevice::Permissions origPerm = file.permissions(); // read crypttab bool findflag = false; //目前默认只改第一个发现的uuid findflag 标志位:是否已经查找到uuid @@ -698,18 +700,23 @@ bool LUKSOperator::wirteCrypttab(LUKS_INFO &luksInfo, bool isMount) } file.close(); - //write crypttab - if (!file.open(QIODevice::ReadWrite | QIODevice::Truncate)) { + // 原子写入:先写临时文件,再 rename 到 /etc/crypttab,避免 TOCTOU 竞态 + QSaveFile saveFile(QStringLiteral("/etc/crypttab")); + if (!saveFile.open(QIODevice::WriteOnly)) { qDebug() << "open /etc/crypttab for write failed, return false"; return false; } - - QTextStream out(&file); + QTextStream out(&saveFile); for (int i = 0; i < list.count(); i++) { out << list.at(i); } out.flush(); - file.close(); + if (!saveFile.commit()) { + qDebug() << "commit /etc/crypttab failed, return false"; + return false; + } + // 恢复原文件权限,避免 QSaveFile 使用临时文件导致权限被 umask 改变 + QFile::setPermissions(QStringLiteral("/etc/crypttab"), origPerm); qDebug() << "Successfully created key file:" << filePath; qDebug() << "LUKSOperator::wirteCrypttab END"; return true;