fix: harden avatar load against symlink TOCTOU (v0.6.19)

SEC-01 (security audit, LOW): the avatar load followed symlinks via
gio::File while the wallpaper load was already O_NOFOLLOW-hardened — the
project's lock-path hardening was applied inconsistently. Share one
read_file_nofollow loader for both file reads so they cannot diverge
again; a symlinked ~/.face now fails open with ELOOP and falls back to
the default avatar. Adds loader unit tests (regular file, symlink->ELOOP).

Bundles clippy cleanup: c"" literal in auth.rs, let-chains, drop
redundant gtk4_session_lock import, blur guard via .filter() (unifies
with moongreet/moonset).

.gitea/workflows/ci.yaml

@@ -0,0 +1,22 @@
+# ABOUTME: Runs cargo audit (RustSec CVE scan) against the locked dependency tree.
+# ABOUTME: Supply-chain gate — fails on a known advisory.
+
+name: Audit
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  cargo-audit:
+    runs-on: moonarch
+    steps:
+      - name: Checkout
+        run: git clone http://gitea:3000/nevaforget/moonlock.git src
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Audit
+        run: cd src && cargo audit

.gitignore

@@ -1,7 +1,3 @@
 /target
 
-# makepkg build artifacts
-pkg/src/
-pkg/pkg/
-pkg/moonlock/
-pkg/*.pkg.tar.*
+.pytest_cache/

CLAUDE.md

@@ -1,63 +1,63 @@
 # Moonlock
 
-## Projekt
+## Project
 
-Moonlock ist ein sicherer Wayland-Lockscreen, gebaut mit Rust + gtk4-rs + ext-session-lock-v1.
-Teil des Moonarch-Ökosystems.
+Moonlock is a secure Wayland lockscreen, built with Rust + gtk4-rs + ext-session-lock-v1.
+Part of the Moonarch ecosystem.
 
-## Tech-Stack
+## Tech Stack
 
-- Rust (Edition 2024), gtk4-rs 0.11, glib 0.22
-- gtk4-session-lock 0.4 für ext-session-lock-v1 Protokoll
-- PAM-Authentifizierung via Raw FFI (libc, libpam.so)
-- fprintd D-Bus Integration (gio::DBusProxy) für Fingerabdruck-Unlock
-- zeroize für sicheres Passwort-Wiping
-- `cargo test` für Unit-Tests
+- Rust (edition 2024), gtk4-rs 0.11, glib 0.22
+- gtk4-session-lock 0.4 for the ext-session-lock-v1 protocol
+- PAM authentication via raw FFI (libc, libpam.so)
+- fprintd D-Bus integration (gio::DBusProxy) for fingerprint unlock
+- zeroize for secure password wiping
+- `cargo test` for unit tests
 
-## Projektstruktur
+## Project Structure
 
-- `src/` — Rust-Quellcode (main.rs, lockscreen.rs, auth.rs, fingerprint.rs, config.rs, i18n.rs, users.rs, power.rs)
-- `resources/` — GResource-Assets (style.css, default-avatar.svg)
-- `config/` — PAM-Konfiguration und Beispiel-Config
+- `src/` — Rust source code (main.rs, lockscreen.rs, auth.rs, fingerprint.rs, config.rs, i18n.rs, users.rs, power.rs)
+- `resources/` — GResource assets (style.css, default-avatar.svg)
+- `config/` — PAM configuration and example config
 
-## Kommandos
+## Commands
 
 ```bash
-# Tests ausführen
+# Run tests
 cargo test
 
-# Release-Build
+# Release build
 cargo build --release
 
-# Lockscreen starten (zum Testen)
+# Start the lockscreen (for testing)
 LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 ```
 
-## Architektur
+## Architecture
 
-- `auth.rs` — PAM-Authentifizierung via Raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>)
-- `fingerprint.rs` — fprintd D-Bus Listener, async init/claim/verify via gio futures, sender-validated signal handler, cleanup_dbus() für sauberen D-Bus-Lifecycle, running_flag für Race-Safety in async restarts, on_exhausted callback after MAX_FP_ATTEMPTS, resume_async() für Neustart nach transientem Fehler (mit failed_attempts-Reset und Signal-Handler-Cleanup)
-- `users.rs` — Aktuellen User via nix getuid, Avatar-Loading mit Symlink-Rejection
-- `power.rs` — Reboot/Shutdown via /usr/bin/systemctl
-- `i18n.rs` — Locale-Erkennung (OnceLock-cached) und String-Tabellen (DE/EN), faillock_warning mit konfigurierbarem max_attempts
-- `config.rs` — TOML-Config (background_path, background_blur clamped [0,200], fingerprint_enabled als Option<bool>) + Wallpaper-Fallback + Symlink-Rejection via symlink_metadata + Parse-Error-Logging
-- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking mit 30s Timeout und Generation Counter, FP-Success ruft unlock_callback direkt (PAM-Stack ohne account-Modul, Lockout via auth-Pfad und MAX_FP_ATTEMPTS), Zeroizing<String> für Passwort, Power-Confirm, GPU-Blur via GskBlurNode (Downscale auf max 1920px), Blur/Avatar-Cache für Multi-Monitor
-- `main.rs` — Entry Point, Panic-Hook (vor Logging), Root-Check, ext-session-lock-v1 (Pflicht in Release), Monitor-Hotplug via `connect_monitor`-Signal (v1_2), Unlock via `unlock()` + `connect_unlocked`→`app.quit()` (Lib zerstört die Lock-Fenster selbst beim Lock-Ende — kein eigenes Destroy/quit, sonst Double-Destroy-SIGSEGV), shared Blur/Avatar-Caches in Rc, systemd-Journal-Logging, Debug-Level per `MOONLOCK_DEBUG` Env-Var, async fprintd-Init nach window.present()
+- `auth.rs` — PAM authentication via raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>)
+- `fingerprint.rs` — fprintd D-Bus listener, async init/claim/verify via gio futures, sender-validated signal handler, cleanup_dbus() for a clean D-Bus lifecycle, running_flag for race safety in async restarts, on_exhausted callback after MAX_FP_ATTEMPTS, resume_async() for restart after a transient error (with failed_attempts reset and signal handler cleanup)
+- `users.rs` — current user via nix getuid, avatar loading with symlink rejection
+- `power.rs` — reboot/shutdown via /usr/bin/systemctl
+- `i18n.rs` — locale detection (OnceLock-cached) and string tables (DE/EN), faillock_warning with configurable max_attempts
+- `config.rs` — TOML config (background_path, background_blur clamped [0,200], fingerprint_enabled as Option<bool>) + wallpaper fallback + symlink rejection via symlink_metadata + parse-error logging
+- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM auth via gio::spawn_blocking with a 30s timeout and generation counter, FP success calls unlock_callback directly (PAM stack without account module, lockout via the auth path and MAX_FP_ATTEMPTS), Zeroizing<String> for the password, power confirm, GPU blur via GskBlurNode (downscale to max 1920px), blur/avatar cache for multi-monitor
+- `main.rs` — entry point, panic hook (before logging), root check, ext-session-lock-v1 (mandatory in release), monitor hotplug via the `connect_monitor` signal (v1_2), unlock via `unlock()` + `connect_unlocked`→`app.quit()` (the lib destroys the lock windows itself when the lock ends — no own destroy/quit, otherwise double-destroy SIGSEGV), shared blur/avatar caches in Rc, systemd journal logging, debug level via the `MOONLOCK_DEBUG` env var, async fprintd init after window.present()
 
-## Sicherheit
+## Security
 
-- ext-session-lock-v1 garantiert: Compositor sperrt alle Surfaces bei lock()
-- Release-Build: Ohne ext-session-lock-v1 wird `exit(1)` aufgerufen — kein Fenster-Fallback
-- Panic-Hook: Bei Crash wird geloggt, aber NIEMALS unlock() aufgerufen — Screen bleibt schwarz. Hook wird vor Logging installiert.
-- PAM-Callback: msg_style-aware (Passwort nur bei PAM_PROMPT_ECHO_OFF), strdup-OOM-sicher, num_msg-Guard gegen negative Werte
-- fprintd: D-Bus Signal-Sender wird gegen fprintd's unique bus name validiert (Anti-Spoofing)
-- Passwort: Zeroizing<String> ab GTK-Entry-Extraktion, Zeroizing<CString> im PAM-FFI-Layer (bekannte Einschränkung: GLib-GString und strdup-Kopie in PAM werden nicht gezeroized — inhärente GTK/libc-Limitierung)
-- Fingerprint-Unlock: ruft unlock_callback direkt nach verify-match (kein zusätzlicher PAM-acct-Check, weil PAM-Stack nur `auth include login` enthält — wie swaylock); FP-Lockout ist über MAX_FP_ATTEMPTS in fingerprint.rs umgesetzt
-- PAM-Stack: nur `auth include login` (Standard-Pattern wie swaylock/gtklock); kein `account`/`session`-Stack, weil Lockscreen keinen Session-Lifecycle managed und `pam_unix(account)` setuid root benötigt
-- Wallpaper wird vor lock() geladen — connect_monitor feuert während lock() und braucht die Textur; lokales JPEG-Laden ist schnell genug
-- PAM-Timeout: 30s Timeout verhindert permanentes Aussperren bei hängenden PAM-Modulen, Generation Counter verhindert Interferenz paralleler Auth-Versuche
-- Root-Check: Exit mit Fehler wenn als root gestartet
-- Faillock: UI-Warnung nach 3 Fehlversuchen, aber PAM entscheidet über Lockout (Entry bleibt aktiv)
-- Kein Schließen per Escape/Alt-F4 — nur durch erfolgreiche PAM-Auth oder Fingerprint
-- Peek-Icon am Passwortfeld aktiv (UX-Entscheidung, konsistent mit moongreet)
-- GResource-Bundle: CSS/Assets in der Binary kompiliert
+- ext-session-lock-v1 guarantees: the compositor locks all surfaces on lock()
+- Release build: without ext-session-lock-v1, `exit(1)` is called — no window fallback
+- Panic hook: on a crash it logs, but NEVER calls unlock() — the screen stays black. The hook is installed before logging.
+- PAM callback: msg_style-aware (password only on PAM_PROMPT_ECHO_OFF), strdup-OOM-safe, num_msg guard against negative values
+- fprintd: the D-Bus signal sender is validated against fprintd's unique bus name (anti-spoofing)
+- Password: Zeroizing<String> from GTK entry extraction, Zeroizing<CString> in the PAM FFI layer (known limitation: the GLib GString and the strdup copy in PAM are not zeroized — an inherent GTK/libc limitation)
+- Fingerprint unlock: calls unlock_callback directly after a verify match (no additional PAM acct check, because the PAM stack contains only `auth include login` — like swaylock); FP lockout is implemented via MAX_FP_ATTEMPTS in fingerprint.rs
+- PAM stack: only `auth include login` (standard pattern like swaylock/gtklock); no `account`/`session` stack, because the lockscreen does not manage a session lifecycle and `pam_unix(account)` requires setuid root
+- The wallpaper is loaded before lock() — connect_monitor fires during lock() and needs the texture; local JPEG loading is fast enough
+- PAM timeout: a 30s timeout prevents permanent lockout when PAM modules hang, the generation counter prevents interference from parallel auth attempts
+- Root check: exits with an error if started as root
+- Faillock: UI warning after 3 failed attempts, but PAM decides on lockout (the entry stays active)
+- No closing via Escape/Alt-F4 — only via successful PAM auth or fingerprint
+- Peek icon on the password field active (UX decision, consistent with moongreet)
+- GResource bundle: CSS/assets compiled into the binary

Cargo.lock

@@ -575,7 +575,7 @@ dependencies = [
 
 [[package]]
 name = "moonlock"
-version = "0.6.17"
+version = "0.6.19"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.6.17"
+version = "0.6.19"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"
@@ -28,7 +28,6 @@ tempfile = "3"
 glib-build-tools = "0.22"
 
 [profile.release]
-lto = "thin"
+lto = "fat"
 codegen-units = 1
-strip = false
-debug = true
+strip = true

DECISIONS.md

@@ -2,6 +2,27 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
+## 2026-06-17 – Harden avatar load against symlink TOCTOU via a shared O_NOFOLLOW loader (v0.6.19)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A security audit found SEC-01 (LOW): `set_avatar_from_file` (`lockscreen.rs`) opened `~/.face` / the AccountsService icon via `gio::File::for_path().read_future()`, which follows symlinks unconditionally, while the wallpaper load (`load_background_texture`) was already hardened with `O_NOFOLLOW` (2026-04-24). `users::get_avatar_path_with` rejects symlinks via `symlink_metadata()`, but a TOCTOU window remained between that stat and the GIO open. The root cause was not the avatar code per se but that the `O_NOFOLLOW` open idiom was inlined in one place and absent from the other — the project's own lock-path hardening contract was applied inconsistently. Impact is below the primary threat model (exploiting it needs write access to `~/.face`, i.e. an already-compromised session; the screen stays locked either way), hence LOW.
+- **Tradeoffs**: Extracted a shared `read_file_nofollow` rather than duplicating the open idiom, so the two file reads on the lock path cannot diverge again. The avatar read moved onto a blocking thread via `gio::spawn_blocking` (was a GIO async read) to keep the open off the GTK main loop, then decodes from an in-memory `MemoryInputStream`, preserving the scaled `AVATAR_SIZE` decode. No integration test for `set_avatar_from_file` itself — GTK + async, not unit-testable without a harness; the security primitive (`O_NOFOLLOW` → `ELOOP`) is covered by a unit test that goes red if the flag is removed (verified by temporarily dropping it). SEC-02 (fallback wallpaper `is_file()`) and SEC-03 (PAM `strdup` not zeroed) were reviewed and left as-is: the former is still protected by `O_NOFOLLOW` at open time and is a root-only system path, the latter is an inherent PAM-API limitation outside the lock threat model, already documented in `CLAUDE.md`.
+- **How**: (1) New `read_file_nofollow(&Path) -> io::Result<Vec<u8>>` in `lockscreen.rs`, used by both `load_background_texture` and `set_avatar_from_file`. (2) The avatar load reads via `gio::spawn_blocking(read_file_nofollow)` then decodes from a `MemoryInputStream`; a symlinked avatar now fails the open with `ELOOP`, logs a warning, and falls back to the default avatar. (3) Two unit tests for the loader (regular file → bytes; symlink → `ELOOP`). (4) Clippy cleanup bundled in: `c""` C-string literal in `auth.rs`, `let`-chains in `config.rs`/`users.rs`, removed redundant `use gtk4_session_lock;` in `main.rs`, blur guard collapsed to `blur_radius.filter(|s| *s > 0.0)` (unifies with moongreet/moonset, which already used that form). Verified: `cargo test` (48 passed), `cargo clippy --release` (0 warnings), `cargo build --release`.
+
+## 2026-06-17 – Add cargo-audit CI gate, remove orphaned `-git` PKGBUILD
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A hygiene audit found supply chain and dependency health clean (`cargo audit` 0.22.2: 0 vulnerabilities across 116 crates), but flagged repo-hygiene gaps: CI (`.gitea/workflows/`) only auto-bumped pkgver and ran no vulnerability scan, so a future advisory against a locked dependency would go undetected; `pkg/PKGBUILD` was an orphaned `moonlock-git` VCS PKGBUILD (`pkgver=0.4.1.r1...`, two minor versions behind v0.6.18) left over from the pre-tag-build era — the canonical packaging now lives in `moonarch-pkgbuilds/moonlock/PKGBUILD` and is auto-bumped by `update-pkgver.yaml`; a stray `.pytest_cache/` sat in the repo root of this pure-Rust project, only suppressed by a user-global gitignore.
+- **Tradeoffs**: CI gate scoped to `cargo audit` only, not `cargo test`/`clippy`/`build` — `cargo audit` parses `Cargo.lock` and needs no GTK4/PAM build environment, whereas the broader checks depend on the `moonarch` runner having the full dev toolchain, which is unverified and beyond the hygiene scope. `cargo install cargo-audit` recompiles per run (~2-3 min); accepted, caching deferred. Open risk: the runner must provide a Rust toolchain (`cargo`); `update-pkgver.yaml` only uses `git`, so this needs validation on first run. Deleting `pkg/PKGBUILD` rather than updating it: it is not in the build pipeline and the `-git` variant was abandoned at the tag-build switch (see `moonarch-pkgbuilds/DECISIONS.md` 2026-06-10).
+- **How**: New `.gitea/workflows/ci.yaml` (`Audit` workflow, triggers on push to `main`, `v*` tags, and PRs to `main`) clones the repo and runs `cargo audit`. Removed `pkg/PKGBUILD` and the empty `pkg/` dir; dropped the now-dead `pkg/*` makepkg-artifact lines from `.gitignore` and added `.pytest_cache/`. No version bump — no code or behavior change to the binary.
+
+## 2026-06-17 – Restore hardened release profile after the crash hunt (v0.6.18)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A security audit found the `[profile.release]` in `Cargo.toml` had silently drifted from the hardened profile decided on 2026-04-24 (`lto = "fat"`, `strip = true`). Git blame traced the drift to v0.6.14 (commit `85cf039`, "refactor: power-confirm via PowerAction table"): `lto` was reverted `fat`→`thin`, `strip` flipped `true`→`false`, and `debug = true` was added — all bundled into an unrelated refactor commit, with no commit-message mention and no entry here. The pattern (no strip + debug symbols + faster thin LTO) was a debug aid for the suspend/resume SIGSEGV hunt that ran v0.6.9–v0.6.17, giving symbolized coredump backtraces. That crash is fixed as of v0.6.17, so the debug profile has outlived its purpose, while shipping debug symbols on a security-critical auth binary eases reverse-engineering of the auth path and bloats the binary.
+- **Tradeoffs**: Restoring `lto = "fat"` roughly doubles release build time (~30 s → ~60 s) for better cross-crate inlining; acceptable for a binary compiled once per release. Dropping `strip = false` + `debug = true` means field coredumps are no longer symbolized out of the box — a deliberate trade now that the crash is resolved; debug symbols can be re-enabled temporarily if a new crash needs hunting. Not chosen: keeping `lto = "fat"` but retaining the debug symbols — rejected because the symbols' only justification (the crash hunt) is gone.
+- **How**: `Cargo.toml` `[profile.release]` restored to `lto = "fat"`, `strip = true`, with the `debug = true` line removed; `codegen-units = 1` unchanged. Verified via `file target/release/moonlock` reporting a stripped binary.
+
 ## 2026-06-02 – Real fix for the unlock SIGSEGV: quit in ::unlocked, never destroy windows ourselves (v0.6.17)
 
 - **Who**: ClaudeCode, Dom

pkg/PKGBUILD

@@ -1,51 +0,0 @@
-# ABOUTME: PKGBUILD for Moonlock — secure Wayland lockscreen.
-# ABOUTME: Builds from git source with automatic version detection.
-
-# Maintainer: Dominik Kressler
-
-pkgname=moonlock-git
-pkgver=0.4.1.r1.g78bcf90
-pkgrel=1
-pkgdesc="A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
-arch=('x86_64')
-url="https://gitea.moonarch.de/nevaforget/moonlock"
-license=('MIT')
-depends=(
-    'gtk4'
-    'gtk4-layer-shell'
-    'gtk-session-lock'
-    'pam'
-    'systemd-libs'
-)
-makedepends=(
-    'git'
-    'cargo'
-)
-optdepends=(
-    'fprintd: fingerprint authentication support'
-)
-provides=('moonlock')
-conflicts=('moonlock')
-source=("git+${url}.git")
-sha256sums=('SKIP')
-
-pkgver() {
-    cd "$srcdir/moonlock"
-    git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./'
-}
-
-build() {
-    cd "$srcdir/moonlock"
-    cargo build --release --locked
-}
-
-package() {
-    cd "$srcdir/moonlock"
-    install -Dm755 target/release/moonlock "$pkgdir/usr/bin/moonlock"
-
-    # PAM configuration
-    install -Dm644 config/moonlock-pam "$pkgdir/etc/pam.d/moonlock"
-
-    # Example config
-    install -Dm644 config/moonlock.toml.example "$pkgdir/etc/moonlock/moonlock.toml.example"
-}

src/auth.rs

@@ -115,7 +115,7 @@ unsafe extern "C" fn pam_conv_callback(
                 }
                 PAM_PROMPT_ECHO_ON => {
                     // Visible prompt — provide empty string, never the password
-                    let empty = libc::strdup(b"\0".as_ptr() as *const libc::c_char);
+                    let empty = libc::strdup(c"".as_ptr());
                     if empty.is_null() {
                         for j in 0..i {
                             let prev = resp_array.offset(j);

src/config.rs

@@ -72,8 +72,11 @@ pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
 pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
     if let Some(ref bg) = config.background_path {
         let path = PathBuf::from(bg);
-        if let Ok(meta) = path.symlink_metadata() {
-            if meta.is_file() && !meta.file_type().is_symlink() { return Some(path); }
+        if let Ok(meta) = path.symlink_metadata()
+            && meta.is_file()
+            && !meta.file_type().is_symlink()
+        {
+            return Some(path);
         }
     }
     if moonarch_wallpaper.is_file() { return Some(moonarch_wallpaper.to_path_buf()); }

src/lockscreen.rs

@@ -24,7 +24,6 @@ use crate::users;
 pub struct LockscreenHandles {
     pub window: gtk::ApplicationWindow,
     pub fp_label: gtk::Label,
-    pub password_entry: gtk::PasswordEntry,
     pub unlock_callback: Rc<dyn Fn()>,
     pub username: String,
     state: Rc<RefCell<LockscreenState>>,
@@ -67,7 +66,6 @@ pub fn create_lockscreen_window(
             return LockscreenHandles {
                 window,
                 fp_label,
-                password_entry: gtk::PasswordEntry::new(),
                 unlock_callback,
                 username: String::new(),
                 state: Rc::new(RefCell::new(LockscreenState {
@@ -357,7 +355,6 @@ pub fn create_lockscreen_window(
     LockscreenHandles {
         window,
         fp_label,
-        password_entry: password_entry.clone(),
         unlock_callback,
         username: user.username,
         state: state.clone(),
@@ -445,6 +442,23 @@ pub fn start_fingerprint(
     });
 }
 
+/// Read a file with O_NOFOLLOW so a symlink swapped in after a prior
+/// stat-based check (TOCTOU) fails the open with ELOOP instead of being
+/// followed. Shared by the wallpaper and avatar loads — the two file reads
+/// on the lock path.
+fn read_file_nofollow(path: &Path) -> std::io::Result<Vec<u8>> {
+    use std::io::Read;
+    use std::os::unix::fs::OpenOptionsExt;
+
+    let mut file = std::fs::OpenOptions::new()
+        .read(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(path)?;
+    let mut bytes = Vec::new();
+    file.read_to_end(&mut bytes)?;
+    Ok(bytes)
+}
+
 /// Load the wallpaper as a texture once, for sharing across all windows.
 /// Returns None if no wallpaper path is provided or the file cannot be loaded.
 /// Blur is applied at render time via GPU (GskBlurNode), not here.
@@ -453,25 +467,13 @@ pub fn start_fingerprint(
 /// symlink check in `resolve_background_path_with` and this read. If the path
 /// was swapped for a symlink after the check, `open` fails with ELOOP.
 pub fn load_background_texture(bg_path: &Path) -> Option<gdk::Texture> {
-    use std::io::Read;
-    use std::os::unix::fs::OpenOptionsExt;
-
-    let mut file = match std::fs::OpenOptions::new()
-        .read(true)
-        .custom_flags(libc::O_NOFOLLOW)
-        .open(bg_path)
-    {
-        Ok(f) => f,
+    let bytes = match read_file_nofollow(bg_path) {
+        Ok(b) => b,
         Err(e) => {
-            log::warn!("Failed to open wallpaper {}: {e}", bg_path.display());
-            return None;
-        }
-    };
-    let mut bytes = Vec::new();
-    if let Err(e) = file.read_to_end(&mut bytes) {
             log::warn!("Failed to read wallpaper {}: {e}", bg_path.display());
             return None;
         }
+    };
     let glib_bytes = glib::Bytes::from_owned(bytes);
     match gdk::Texture::from_bytes(&glib_bytes) {
         Ok(texture) => Some(texture),
@@ -498,8 +500,7 @@ fn create_background_picture(
     background.set_hexpand(true);
     background.set_vexpand(true);
 
-    if let Some(sigma) = blur_radius {
-        if sigma > 0.0 {
+    if let Some(sigma) = blur_radius.filter(|s| *s > 0.0) {
         let texture = texture.clone();
         let cache = blur_cache.clone();
         background.connect_realize(move |picture| {
@@ -513,7 +514,6 @@ fn create_background_picture(
             }
         });
     }
-    }
 
     background
 }
@@ -588,18 +588,25 @@ fn set_avatar_from_file(
     image.set_icon_name(Some("avatar-default-symbolic"));
 
     let display_path = path.to_path_buf();
-    let file = gio::File::for_path(path);
+    let read_path = path.to_path_buf();
     let image_clone = image.clone();
     let cache_clone = cache.clone();
 
     glib::spawn_future_local(async move {
-        let stream = match file.read_future(glib::Priority::default()).await {
-            Ok(s) => s,
-            Err(e) => {
+        // Read with O_NOFOLLOW on a blocking thread to close the TOCTOU window
+        // between the symlink check in users::get_avatar_path_with and this open.
+        let bytes = match gio::spawn_blocking(move || read_file_nofollow(&read_path)).await {
+            Ok(Ok(b)) => b,
+            Ok(Err(e)) => {
                 log::warn!("Failed to open avatar {}: {e}", display_path.display());
                 return;
             }
+            Err(_) => {
+                log::warn!("Avatar read task failed for {}", display_path.display());
+                return;
+            }
         };
+        let stream = gio::MemoryInputStream::from_bytes(&glib::Bytes::from_owned(bytes));
         match Pixbuf::from_stream_at_scale_future(&stream, AVATAR_SIZE, AVATAR_SIZE, true).await {
             Ok(pixbuf) => {
                 let texture = gdk::Texture::for_pixbuf(&pixbuf);
@@ -834,4 +841,25 @@ mod tests {
     fn avatar_size_matches_css() {
         assert_eq!(AVATAR_SIZE, 128);
     }
+
+    #[test]
+    fn read_file_nofollow_reads_regular_file() {
+        let dir = tempfile::tempdir().unwrap();
+        let file = dir.path().join("avatar.png");
+        std::fs::write(&file, b"avatar-bytes").unwrap();
+        assert_eq!(read_file_nofollow(&file).unwrap(), b"avatar-bytes");
+    }
+
+    #[test]
+    fn read_file_nofollow_rejects_symlink() {
+        use std::os::unix::fs::symlink;
+        let dir = tempfile::tempdir().unwrap();
+        let target = dir.path().join("secret");
+        std::fs::write(&target, b"secret").unwrap();
+        let link = dir.path().join("avatar.png");
+        symlink(&target, &link).unwrap();
+        // O_NOFOLLOW makes the open fail with ELOOP instead of following the link.
+        let err = read_file_nofollow(&link).unwrap_err();
+        assert_eq!(err.raw_os_error(), Some(libc::ELOOP));
+    }
 }

src/main.rs

@@ -12,7 +12,6 @@ mod users;
 use gdk4 as gdk;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
-use gtk4_session_lock;
 use std::cell::{Cell, RefCell};
 use std::rc::Rc;
 

src/users.rs

@@ -12,7 +12,6 @@ pub struct User {
     pub username: String,
     pub display_name: String,
     pub home: PathBuf,
-    pub uid: u32,
 }
 
 pub fn get_current_user() -> Option<User> {
@@ -29,7 +28,7 @@ pub fn get_current_user() -> Option<User> {
         let first = gecos.split(',').next().unwrap_or("");
         if first.is_empty() { nix_user.name.clone() } else { first.to_string() }
     } else { nix_user.name.clone() };
-    Some(User { username: nix_user.name, display_name, home: nix_user.dir, uid: uid.as_raw() })
+    Some(User { username: nix_user.name, display_name, home: nix_user.dir })
 }
 
 pub fn get_avatar_path(home: &Path, username: &str) -> Option<PathBuf> {
@@ -39,14 +38,20 @@ pub fn get_avatar_path(home: &Path, username: &str) -> Option<PathBuf> {
 pub fn get_avatar_path_with(home: &Path, username: &str, accountsservice_dir: &Path) -> Option<PathBuf> {
     // ~/.face takes priority — single stat via symlink_metadata to avoid TOCTOU
     let face = home.join(".face");
-    if let Ok(meta) = face.symlink_metadata() {
-        if meta.is_file() && !meta.file_type().is_symlink() { return Some(face); }
+    if let Ok(meta) = face.symlink_metadata()
+        && meta.is_file()
+        && !meta.file_type().is_symlink()
+    {
+        return Some(face);
     }
     // AccountsService icon
     if accountsservice_dir.exists() {
         let icon = accountsservice_dir.join(username);
-        if let Ok(meta) = icon.symlink_metadata() {
-            if meta.is_file() && !meta.file_type().is_symlink() { return Some(icon); }
+        if let Ok(meta) = icon.symlink_metadata()
+            && meta.is_file()
+            && !meta.file_type().is_symlink()
+        {
+            return Some(icon);
         }
     }
     None