fix: harden avatar load against symlink TOCTOU (v0.6.19)

SEC-01 (security audit, LOW): the avatar load followed symlinks via
gio::File while the wallpaper load was already O_NOFOLLOW-hardened — the
project's lock-path hardening was applied inconsistently. Share one
read_file_nofollow loader for both file reads so they cannot diverge
again; a symlinked ~/.face now fails open with ELOOP and falls back to
the default avatar. Adds loader unit tests (regular file, symlink->ELOOP).

Bundles clippy cleanup: c"" literal in auth.rs, let-chains, drop
redundant gtk4_session_lock import, blur guard via .filter() (unifies
with moongreet/moonset).

.gitea/workflows/ci.yaml

@@ -0,0 +1,22 @@
+# ABOUTME: Runs cargo audit (RustSec CVE scan) against the locked dependency tree.
+# ABOUTME: Supply-chain gate — fails on a known advisory.
+
+name: Audit
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  cargo-audit:
+    runs-on: moonarch
+    steps:
+      - name: Checkout
+        run: git clone http://gitea:3000/nevaforget/moonlock.git src
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Audit
+        run: cd src && cargo audit

.gitea/workflows/update-pkgver.yaml

@@ -1,22 +1,22 @@
-# ABOUTME: Updates pkgver in moonarch-pkgbuilds after a push to main.
-# ABOUTME: Ensures paru detects new versions of this package.
+# ABOUTME: Updates pkgver in moonarch-pkgbuilds when a new moonlock tag is pushed.
+# ABOUTME: Reads the latest version tag and bumps the PKGBUILD + .SRCINFO.
 
 name: Update PKGBUILD version
 
 on:
   push:
-    branches:
-      - main
+    tags:
+      - 'v*'
 
 jobs:
   update-pkgver:
     runs-on: moonarch
     steps:
-      - name: Checkout source repo
+      - name: Determine pkgver from latest tag
         run: |
           git clone --bare http://gitea:3000/nevaforget/moonlock.git source.git
           cd source.git
-          PKGVER=$(git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./')
+          PKGVER=$(git describe --tags --abbrev=0 | sed 's/^v//')
           echo "New pkgver: $PKGVER"
           echo "$PKGVER" > /tmp/pkgver
 
@@ -26,18 +26,18 @@ jobs:
           git clone http://gitea:3000/nevaforget/moonarch-pkgbuilds.git pkgbuilds
           cd pkgbuilds
 
-          OLD_VER=$(grep '^pkgver=' moonlock-git/PKGBUILD | cut -d= -f2)
+          OLD_VER=$(grep '^pkgver=' moonlock/PKGBUILD | cut -d= -f2)
           if [ "$OLD_VER" = "$PKGVER" ]; then
             echo "pkgver already up to date ($PKGVER)"
             exit 0
           fi
 
-          sed -i "s/^pkgver=.*/pkgver=$PKGVER/" moonlock-git/PKGBUILD
-          sed -i "s/^\tpkgver = .*/\tpkgver = $PKGVER/" moonlock-git/.SRCINFO
+          sed -i "s/^pkgver=.*/pkgver=$PKGVER/" moonlock/PKGBUILD
+          sed -i "s/^\tpkgver = .*/\tpkgver = $PKGVER/" moonlock/.SRCINFO
           echo "Updated pkgver: $OLD_VER → $PKGVER"
 
           git config user.name "pkgver-bot"
           git config user.email "gitea@moonarch.de"
-          git add moonlock-git/PKGBUILD moonlock-git/.SRCINFO
-          git commit -m "chore(moonlock-git): bump pkgver to $PKGVER"
+          git add moonlock/PKGBUILD moonlock/.SRCINFO
+          git commit -m "chore(moonlock): bump pkgver to $PKGVER"
           git -c http.extraHeader="Authorization: token ${{ secrets.PKGBUILD_TOKEN }}" push

.gitignore

@@ -1,7 +1,3 @@
 /target
 
-# makepkg build artifacts
-pkg/src/
-pkg/pkg/
-pkg/moonlock/
-pkg/*.pkg.tar.*
+.pytest_cache/

CLAUDE.md

@@ -1,62 +1,63 @@
 # Moonlock
 
-## Projekt
+## Project
 
-Moonlock ist ein sicherer Wayland-Lockscreen, gebaut mit Rust + gtk4-rs + ext-session-lock-v1.
-Teil des Moonarch-Ökosystems.
+Moonlock is a secure Wayland lockscreen, built with Rust + gtk4-rs + ext-session-lock-v1.
+Part of the Moonarch ecosystem.
 
-## Tech-Stack
+## Tech Stack
 
-- Rust (Edition 2024), gtk4-rs 0.11, glib 0.22
-- gtk4-session-lock 0.4 für ext-session-lock-v1 Protokoll
-- PAM-Authentifizierung via Raw FFI (libc, libpam.so)
-- fprintd D-Bus Integration (gio::DBusProxy) für Fingerabdruck-Unlock
-- zeroize für sicheres Passwort-Wiping
-- `cargo test` für Unit-Tests
+- Rust (edition 2024), gtk4-rs 0.11, glib 0.22
+- gtk4-session-lock 0.4 for the ext-session-lock-v1 protocol
+- PAM authentication via raw FFI (libc, libpam.so)
+- fprintd D-Bus integration (gio::DBusProxy) for fingerprint unlock
+- zeroize for secure password wiping
+- `cargo test` for unit tests
 
-## Projektstruktur
+## Project Structure
 
-- `src/` — Rust-Quellcode (main.rs, lockscreen.rs, auth.rs, fingerprint.rs, config.rs, i18n.rs, users.rs, power.rs)
-- `resources/` — GResource-Assets (style.css, default-avatar.svg)
-- `config/` — PAM-Konfiguration und Beispiel-Config
+- `src/` — Rust source code (main.rs, lockscreen.rs, auth.rs, fingerprint.rs, config.rs, i18n.rs, users.rs, power.rs)
+- `resources/` — GResource assets (style.css, default-avatar.svg)
+- `config/` — PAM configuration and example config
 
-## Kommandos
+## Commands
 
 ```bash
-# Tests ausführen
+# Run tests
 cargo test
 
-# Release-Build
+# Release build
 cargo build --release
 
-# Lockscreen starten (zum Testen)
+# Start the lockscreen (for testing)
 LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 ```
 
-## Architektur
+## Architecture
 
-- `auth.rs` — PAM-Authentifizierung via Raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>), check_account() für pam_acct_mgmt-Only-Checks nach Fingerprint-Unlock
-- `fingerprint.rs` — fprintd D-Bus Listener, async init/claim/verify via gio futures, sender-validated signal handler, cleanup_dbus() für sauberen D-Bus-Lifecycle, running_flag für Race-Safety in async restarts, on_exhausted callback after MAX_FP_ATTEMPTS, resume_async() für Neustart nach transientem Fehler (mit failed_attempts-Reset und Signal-Handler-Cleanup)
-- `users.rs` — Aktuellen User via nix getuid, Avatar-Loading mit Symlink-Rejection
-- `power.rs` — Reboot/Shutdown via /usr/bin/systemctl
-- `i18n.rs` — Locale-Erkennung (OnceLock-cached) und String-Tabellen (DE/EN), faillock_warning mit konfigurierbarem max_attempts
-- `config.rs` — TOML-Config (background_path, background_blur clamped [0,200], fingerprint_enabled als Option<bool>) + Wallpaper-Fallback + Symlink-Rejection via symlink_metadata + Parse-Error-Logging
-- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking mit 30s Timeout und Generation Counter, FP-Label/Start separat verdrahtet mit pam_acct_mgmt-Check und auto-resume, Zeroizing<String> für Passwort, Power-Confirm, GPU-Blur via GskBlurNode (Downscale auf max 1920px), Blur/Avatar-Cache für Multi-Monitor
-- `main.rs` — Entry Point, Panic-Hook (vor Logging), Root-Check, ext-session-lock-v1 (Pflicht in Release), Monitor-Hotplug via `connect_monitor`-Signal (v1_2), shared Blur/Avatar-Caches in Rc, systemd-Journal-Logging, Debug-Level per `MOONLOCK_DEBUG` Env-Var, async fprintd-Init nach window.present()
+- `auth.rs` — PAM authentication via raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>)
+- `fingerprint.rs` — fprintd D-Bus listener, async init/claim/verify via gio futures, sender-validated signal handler, cleanup_dbus() for a clean D-Bus lifecycle, running_flag for race safety in async restarts, on_exhausted callback after MAX_FP_ATTEMPTS, resume_async() for restart after a transient error (with failed_attempts reset and signal handler cleanup)
+- `users.rs` — current user via nix getuid, avatar loading with symlink rejection
+- `power.rs` — reboot/shutdown via /usr/bin/systemctl
+- `i18n.rs` — locale detection (OnceLock-cached) and string tables (DE/EN), faillock_warning with configurable max_attempts
+- `config.rs` — TOML config (background_path, background_blur clamped [0,200], fingerprint_enabled as Option<bool>) + wallpaper fallback + symlink rejection via symlink_metadata + parse-error logging
+- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM auth via gio::spawn_blocking with a 30s timeout and generation counter, FP success calls unlock_callback directly (PAM stack without account module, lockout via the auth path and MAX_FP_ATTEMPTS), Zeroizing<String> for the password, power confirm, GPU blur via GskBlurNode (downscale to max 1920px), blur/avatar cache for multi-monitor
+- `main.rs` — entry point, panic hook (before logging), root check, ext-session-lock-v1 (mandatory in release), monitor hotplug via the `connect_monitor` signal (v1_2), unlock via `unlock()` + `connect_unlocked`→`app.quit()` (the lib destroys the lock windows itself when the lock ends — no own destroy/quit, otherwise double-destroy SIGSEGV), shared blur/avatar caches in Rc, systemd journal logging, debug level via the `MOONLOCK_DEBUG` env var, async fprintd init after window.present()
 
-## Sicherheit
+## Security
 
-- ext-session-lock-v1 garantiert: Compositor sperrt alle Surfaces bei lock()
-- Release-Build: Ohne ext-session-lock-v1 wird `exit(1)` aufgerufen — kein Fenster-Fallback
-- Panic-Hook: Bei Crash wird geloggt, aber NIEMALS unlock() aufgerufen — Screen bleibt schwarz. Hook wird vor Logging installiert.
-- PAM-Callback: msg_style-aware (Passwort nur bei PAM_PROMPT_ECHO_OFF), strdup-OOM-sicher, num_msg-Guard gegen negative Werte
-- fprintd: D-Bus Signal-Sender wird gegen fprintd's unique bus name validiert (Anti-Spoofing)
-- Passwort: Zeroizing<String> ab GTK-Entry-Extraktion, Zeroizing<CString> im PAM-FFI-Layer (bekannte Einschränkung: GLib-GString und strdup-Kopie in PAM werden nicht gezeroized — inhärente GTK/libc-Limitierung)
-- Fingerprint-Unlock: pam_acct_mgmt-Check nach verify-match erzwingt Account-Policies (Lockout, Ablauf), resume_async() startet FP bei transientem Fehler neu (mit failed_attempts-Reset und Signal-Handler-Cleanup)
-- Wallpaper wird vor lock() geladen — connect_monitor feuert während lock() und braucht die Textur; lokales JPEG-Laden ist schnell genug
-- PAM-Timeout: 30s Timeout verhindert permanentes Aussperren bei hängenden PAM-Modulen, Generation Counter verhindert Interferenz paralleler Auth-Versuche
-- Root-Check: Exit mit Fehler wenn als root gestartet
-- Faillock: UI-Warnung nach 3 Fehlversuchen, aber PAM entscheidet über Lockout (Entry bleibt aktiv)
-- Kein Schließen per Escape/Alt-F4 — nur durch erfolgreiche PAM-Auth oder Fingerprint
-- Peek-Icon am Passwortfeld aktiv (UX-Entscheidung, konsistent mit moongreet)
-- GResource-Bundle: CSS/Assets in der Binary kompiliert
+- ext-session-lock-v1 guarantees: the compositor locks all surfaces on lock()
+- Release build: without ext-session-lock-v1, `exit(1)` is called — no window fallback
+- Panic hook: on a crash it logs, but NEVER calls unlock() — the screen stays black. The hook is installed before logging.
+- PAM callback: msg_style-aware (password only on PAM_PROMPT_ECHO_OFF), strdup-OOM-safe, num_msg guard against negative values
+- fprintd: the D-Bus signal sender is validated against fprintd's unique bus name (anti-spoofing)
+- Password: Zeroizing<String> from GTK entry extraction, Zeroizing<CString> in the PAM FFI layer (known limitation: the GLib GString and the strdup copy in PAM are not zeroized — an inherent GTK/libc limitation)
+- Fingerprint unlock: calls unlock_callback directly after a verify match (no additional PAM acct check, because the PAM stack contains only `auth include login` — like swaylock); FP lockout is implemented via MAX_FP_ATTEMPTS in fingerprint.rs
+- PAM stack: only `auth include login` (standard pattern like swaylock/gtklock); no `account`/`session` stack, because the lockscreen does not manage a session lifecycle and `pam_unix(account)` requires setuid root
+- The wallpaper is loaded before lock() — connect_monitor fires during lock() and needs the texture; local JPEG loading is fast enough
+- PAM timeout: a 30s timeout prevents permanent lockout when PAM modules hang, the generation counter prevents interference from parallel auth attempts
+- Root check: exits with an error if started as root
+- Faillock: UI warning after 3 failed attempts, but PAM decides on lockout (the entry stays active)
+- No closing via Escape/Alt-F4 — only via successful PAM auth or fingerprint
+- Peek icon on the password field active (UX decision, consistent with moongreet)
+- GResource bundle: CSS/assets compiled into the binary

Cargo.lock

@@ -575,7 +575,7 @@ dependencies = [
 
 [[package]]
 name = "moonlock"
-version = "0.6.12"
+version = "0.6.19"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.6.12"
+version = "0.6.19"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"

DECISIONS.md

@@ -2,6 +2,55 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
+## 2026-06-17 – Harden avatar load against symlink TOCTOU via a shared O_NOFOLLOW loader (v0.6.19)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A security audit found SEC-01 (LOW): `set_avatar_from_file` (`lockscreen.rs`) opened `~/.face` / the AccountsService icon via `gio::File::for_path().read_future()`, which follows symlinks unconditionally, while the wallpaper load (`load_background_texture`) was already hardened with `O_NOFOLLOW` (2026-04-24). `users::get_avatar_path_with` rejects symlinks via `symlink_metadata()`, but a TOCTOU window remained between that stat and the GIO open. The root cause was not the avatar code per se but that the `O_NOFOLLOW` open idiom was inlined in one place and absent from the other — the project's own lock-path hardening contract was applied inconsistently. Impact is below the primary threat model (exploiting it needs write access to `~/.face`, i.e. an already-compromised session; the screen stays locked either way), hence LOW.
+- **Tradeoffs**: Extracted a shared `read_file_nofollow` rather than duplicating the open idiom, so the two file reads on the lock path cannot diverge again. The avatar read moved onto a blocking thread via `gio::spawn_blocking` (was a GIO async read) to keep the open off the GTK main loop, then decodes from an in-memory `MemoryInputStream`, preserving the scaled `AVATAR_SIZE` decode. No integration test for `set_avatar_from_file` itself — GTK + async, not unit-testable without a harness; the security primitive (`O_NOFOLLOW` → `ELOOP`) is covered by a unit test that goes red if the flag is removed (verified by temporarily dropping it). SEC-02 (fallback wallpaper `is_file()`) and SEC-03 (PAM `strdup` not zeroed) were reviewed and left as-is: the former is still protected by `O_NOFOLLOW` at open time and is a root-only system path, the latter is an inherent PAM-API limitation outside the lock threat model, already documented in `CLAUDE.md`.
+- **How**: (1) New `read_file_nofollow(&Path) -> io::Result<Vec<u8>>` in `lockscreen.rs`, used by both `load_background_texture` and `set_avatar_from_file`. (2) The avatar load reads via `gio::spawn_blocking(read_file_nofollow)` then decodes from a `MemoryInputStream`; a symlinked avatar now fails the open with `ELOOP`, logs a warning, and falls back to the default avatar. (3) Two unit tests for the loader (regular file → bytes; symlink → `ELOOP`). (4) Clippy cleanup bundled in: `c""` C-string literal in `auth.rs`, `let`-chains in `config.rs`/`users.rs`, removed redundant `use gtk4_session_lock;` in `main.rs`, blur guard collapsed to `blur_radius.filter(|s| *s > 0.0)` (unifies with moongreet/moonset, which already used that form). Verified: `cargo test` (48 passed), `cargo clippy --release` (0 warnings), `cargo build --release`.
+
+## 2026-06-17 – Add cargo-audit CI gate, remove orphaned `-git` PKGBUILD
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A hygiene audit found supply chain and dependency health clean (`cargo audit` 0.22.2: 0 vulnerabilities across 116 crates), but flagged repo-hygiene gaps: CI (`.gitea/workflows/`) only auto-bumped pkgver and ran no vulnerability scan, so a future advisory against a locked dependency would go undetected; `pkg/PKGBUILD` was an orphaned `moonlock-git` VCS PKGBUILD (`pkgver=0.4.1.r1...`, two minor versions behind v0.6.18) left over from the pre-tag-build era — the canonical packaging now lives in `moonarch-pkgbuilds/moonlock/PKGBUILD` and is auto-bumped by `update-pkgver.yaml`; a stray `.pytest_cache/` sat in the repo root of this pure-Rust project, only suppressed by a user-global gitignore.
+- **Tradeoffs**: CI gate scoped to `cargo audit` only, not `cargo test`/`clippy`/`build` — `cargo audit` parses `Cargo.lock` and needs no GTK4/PAM build environment, whereas the broader checks depend on the `moonarch` runner having the full dev toolchain, which is unverified and beyond the hygiene scope. `cargo install cargo-audit` recompiles per run (~2-3 min); accepted, caching deferred. Open risk: the runner must provide a Rust toolchain (`cargo`); `update-pkgver.yaml` only uses `git`, so this needs validation on first run. Deleting `pkg/PKGBUILD` rather than updating it: it is not in the build pipeline and the `-git` variant was abandoned at the tag-build switch (see `moonarch-pkgbuilds/DECISIONS.md` 2026-06-10).
+- **How**: New `.gitea/workflows/ci.yaml` (`Audit` workflow, triggers on push to `main`, `v*` tags, and PRs to `main`) clones the repo and runs `cargo audit`. Removed `pkg/PKGBUILD` and the empty `pkg/` dir; dropped the now-dead `pkg/*` makepkg-artifact lines from `.gitignore` and added `.pytest_cache/`. No version bump — no code or behavior change to the binary.
+
+## 2026-06-17 – Restore hardened release profile after the crash hunt (v0.6.18)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A security audit found the `[profile.release]` in `Cargo.toml` had silently drifted from the hardened profile decided on 2026-04-24 (`lto = "fat"`, `strip = true`). Git blame traced the drift to v0.6.14 (commit `85cf039`, "refactor: power-confirm via PowerAction table"): `lto` was reverted `fat`→`thin`, `strip` flipped `true`→`false`, and `debug = true` was added — all bundled into an unrelated refactor commit, with no commit-message mention and no entry here. The pattern (no strip + debug symbols + faster thin LTO) was a debug aid for the suspend/resume SIGSEGV hunt that ran v0.6.9–v0.6.17, giving symbolized coredump backtraces. That crash is fixed as of v0.6.17, so the debug profile has outlived its purpose, while shipping debug symbols on a security-critical auth binary eases reverse-engineering of the auth path and bloats the binary.
+- **Tradeoffs**: Restoring `lto = "fat"` roughly doubles release build time (~30 s → ~60 s) for better cross-crate inlining; acceptable for a binary compiled once per release. Dropping `strip = false` + `debug = true` means field coredumps are no longer symbolized out of the box — a deliberate trade now that the crash is resolved; debug symbols can be re-enabled temporarily if a new crash needs hunting. Not chosen: keeping `lto = "fat"` but retaining the debug symbols — rejected because the symbols' only justification (the crash hunt) is gone.
+- **How**: `Cargo.toml` `[profile.release]` restored to `lto = "fat"`, `strip = true`, with the `debug = true` line removed; `codegen-units = 1` unchanged. Verified via `file target/release/moonlock` reporting a stripped binary.
+
+## 2026-06-02 – Real fix for the unlock SIGSEGV: quit in ::unlocked, never destroy windows ourselves (v0.6.17)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: The v0.6.15 "stale per-monitor window" theory was a **misdiagnosis**. A clean manual `target/release/moonlock` lock→unlock (single monitor, no suspend, no monitor removal) still crashed, preceded by `Gdk-CRITICAL: gdk_surface_get_display: assertion 'GDK_IS_SURFACE (surface)' failed`. The v0.6.16 backtrace's top app frame is the `unlock_callback` closure, which ran `lock.unlock(); app.quit();`. Per the gtk4-session-lock header (`assign_window_to_monitor`: "the window will be unmapped and `gtk_window_destroy()` called on it when the current lock ends") the **library destroys the lock windows itself** on unlock. `app.quit()` then destroyed the same windows again — surface already gone → SIGSEGV. A double-destroy in the teardown sequence, entirely independent of monitors.
+- **Tradeoffs**: Reverted the v0.6.15/v0.6.16 monitor-pruning + `LockscreenHandles.monitor` field: it targeted the wrong cause, never fired in testing, and manually called `app.remove_window()` on library-managed lock windows — exactly what the upstream example warns against ("does NOT manually destroy or close the lock windows"). Monitor-removal-during-lock is left entirely to the library (which already auto-unmaps+dereferences such windows). Three attempts total: idle_add deferral (wrong: reentrancy theory), monitor-pruning (wrong: misdiagnosis), and this one — verified against both the C header and the upstream `examples/simple.rs`.
+- **How**: `unlock_callback` now calls only `lock.unlock()`. A new `lock.connect_unlocked(|_| app.quit())` quits the app only after the library finishes its teardown and fires `::unlocked`. Mirrors the canonical gtk4-session-lock usage exactly.
+
+## 2026-06-02 – Prune per-monitor windows on monitor removal to fix resume-unlock SIGSEGV (v0.6.15)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Chronic SIGSEGV (multiple coredumps/day) on the unlock following a suspend/resume. Backtrace: `app.quit()` → `gtk_window_destroy` → gtk4-layer-shell → `g_signal_emit` → NULL deref (`0x278`, rax=0). Root cause: `connect_monitor` is add-only — it creates one window per monitor and pushes to `all_handles`, but nothing ever removes a window when a monitor powers off on suspend. gtk4-session-lock unmaps + drops *its* ref to that window on monitor removal (per `gtk4-session-lock` 0.4 docs), but the GtkApplication (`ApplicationWindow::builder().application(app)`) and `all_handles` still hold refs. The orphaned window survives until unlock, where destroying it dereferences its now-NULL monitor association. A diagnostic confirmed the windows are GTK-valid but accumulate (3 windows for 1-2 monitors) with a NULL associated object.
+- **Tradeoffs**: An earlier attempt deferred `unlock()`/`quit()` via `glib::idle_add_local_once` on a reentrancy theory — proven wrong by the logs (crash happens *inside* the idle trampoline). Reverted. The library doc explicitly says monitor removal is detected via "GTK APIs"; we follow that rather than fighting the library. We release our refs (do **not** call `destroy` — the lib already unmapped+dereffed the window). Diagnostic UNLOCK logging is kept for now, to be removed once a suspend/resume validation cycle confirms the fix.
+- **How**: `LockscreenHandles` gains `monitor: Option<gdk::Monitor>`, set in the `connect_monitor` handler. `activate_with_session_lock` watches `display.monitors()` via `connect_items_changed`; on any change it retains only handles whose monitor `is_valid()`, calling `app.remove_window()` on the pruned ones to drop the application's ref. With both refs released, the orphaned window is gone before unlock.
+
+## 2026-06-02 – Align power-confirm to moonset's ActionDef pattern (v0.6.14)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A code review of moongreet's power-confirm (ported from this file) flagged the shared pattern as lower-altitude than moonset's: two near-identical reboot/shutdown handlers and a `show_power_confirm` taking loose `message`/`action_fn`/`error_message` params that can drift apart. moonset already solved this with an `ActionDef` table + button factory. Changed here in lockstep with moongreet to keep the three projects symmetric.
+- **Tradeoffs**: A `PowerAction` struct + `power_actions()` table + `create_power_button` factory is slightly more machinery for two actions, but couples icon/prompt/error/action into one value (a mismatched prompt/action becomes unrepresentable) and makes a third action a one-line table entry. Did NOT touch `confirm_box: Rc<RefCell<Option<gtk::Box>>>` — moonset uses the same, it is the shared convention.
+- **How**: Replaced the two hand-wired handlers with a loop over `power_actions()`; `show_power_confirm`/`execute_power_action` now take `PowerAction` (Copy) instead of three loose strings. Added an in-flight re-trigger guard via `power_box.set_sensitive(false)` (re-enabled on failure), matching moonset; also clear a stale `error_label` when showing a new prompt.
+
+## 2026-05-04 – Drop PAM account/session stack, remove `check_account`, drop `pam_acct_mgmt` from password path (v0.6.13)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: 20 SIGSEGV coredumps in 6 days. All crashes preceded by `pam_unix(moonlock:account): setuid failed: Operation not permitted`. The previous PAM config (`auth/account/session include system-auth`) pulled `pam_unix(account)`, which needs setuid root for `/etc/shadow`. moonlock runs as the user, so `pam_acct_mgmt` always failed. The failure cascaded into the FP-resume path (`gio::spawn_blocking(check_account) → false → 2s timeout → resume_async`) where a use-after-free during `gtk_window_destroy` killed the process. Each crash left a dead `ext-session-lock-v1` client and the compositor stuck on its red fallback backdrop until manual recovery. Initial fix on 2026-04-30 dropped the FP-side `check_account` and the account/session lines from the PAM config, but left the `pam_acct_mgmt` call in `auth.rs::authenticate()` for the password path. Result: a PAM stack with no `account` module fell back to `/etc/pam.d/other` (`pam_deny`) and rejected every password — Dom got locked out on 2026-05-04.
+- **Tradeoffs**: Aligned with the swaylock/gtklock pattern (only `auth include login`). Lost: PAM-driven account expiry/lockout in both paths. Acceptable because (a) FP attempts are still bounded by `MAX_FP_ATTEMPTS` in `fingerprint.rs`, (b) password-path lockout still works through `pam_faillock.so preauth/authfail/authsucc` in the inherited `auth` stack, and (c) account validity was already verified by the login manager when the session was opened — a lockscreen unlocks an existing session, it does not gate access to a new one. Not chosen: a custom `account` stack with `pam_faillock.so` only — would have kept PAM-level FP lockout but adds a non-standard config that other lockers do not use, and `pam_faillock` standalone in `account` is rarely tested in the wild.
+- **How**: (1) `config/moonlock-pam` reduced to a single `auth include login` line. (2) `auth.rs::check_account()` and its two unit tests removed. (3) `auth.rs::authenticate()` no longer calls `pam_acct_mgmt`; `pam_authenticate` result is returned directly. The `pam_acct_mgmt` extern declaration is removed. (4) `lockscreen.rs::start_fingerprint` simplified — the `gio::spawn_blocking(check_account)` async block, the failure-side error UI, and the 2-second `resume_async` retry path all removed; on FP success the closure now goes `label.set_text(success); fp.stop(); cb()`. (5) `fingerprint.rs::resume_async()` removed. (6) `CLAUDE.md` architecture and security sections updated to describe the new PAM stack.
+
 ## 2026-04-24 – Audit LOW fixes: docs, rustdoc, check_account scope, debug gating, lto fat (v0.6.12)
 
 - **Who**: ClaudeCode, Dom

config/moonlock-pam

@@ -1,4 +1,2 @@
 #%PAM-1.0
-auth		include		system-auth
-account		include		system-auth
-session		include		system-auth
+auth		include		login

pkg/PKGBUILD

@@ -1,51 +0,0 @@
-# ABOUTME: PKGBUILD for Moonlock — secure Wayland lockscreen.
-# ABOUTME: Builds from git source with automatic version detection.
-
-# Maintainer: Dominik Kressler
-
-pkgname=moonlock-git
-pkgver=0.4.1.r1.g78bcf90
-pkgrel=1
-pkgdesc="A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
-arch=('x86_64')
-url="https://gitea.moonarch.de/nevaforget/moonlock"
-license=('MIT')
-depends=(
-    'gtk4'
-    'gtk4-layer-shell'
-    'gtk-session-lock'
-    'pam'
-    'systemd-libs'
-)
-makedepends=(
-    'git'
-    'cargo'
-)
-optdepends=(
-    'fprintd: fingerprint authentication support'
-)
-provides=('moonlock')
-conflicts=('moonlock')
-source=("git+${url}.git")
-sha256sums=('SKIP')
-
-pkgver() {
-    cd "$srcdir/moonlock"
-    git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./'
-}
-
-build() {
-    cd "$srcdir/moonlock"
-    cargo build --release --locked
-}
-
-package() {
-    cd "$srcdir/moonlock"
-    install -Dm755 target/release/moonlock "$pkgdir/usr/bin/moonlock"
-
-    # PAM configuration
-    install -Dm644 config/moonlock-pam "$pkgdir/etc/pam.d/moonlock"
-
-    # Example config
-    install -Dm644 config/moonlock.toml.example "$pkgdir/etc/moonlock/moonlock.toml.example"
-}

src/auth.rs

@@ -54,8 +54,6 @@ unsafe extern "C" {
 
     fn pam_authenticate(pamh: *mut libc::c_void, flags: libc::c_int) -> libc::c_int;
 
-    fn pam_acct_mgmt(pamh: *mut libc::c_void, flags: libc::c_int) -> libc::c_int;
-
     fn pam_end(pamh: *mut libc::c_void, pam_status: libc::c_int) -> libc::c_int;
 }
 
@@ -117,7 +115,7 @@ unsafe extern "C" fn pam_conv_callback(
                 }
                 PAM_PROMPT_ECHO_ON => {
                     // Visible prompt — provide empty string, never the password
-                    let empty = libc::strdup(b"\0".as_ptr() as *const libc::c_char);
+                    let empty = libc::strdup(c"".as_ptr());
                     if empty.is_null() {
                         for j in 0..i {
                             let prev = resp_array.offset(j);
@@ -197,68 +195,17 @@ pub fn authenticate(username: &str, password: &str) -> bool {
     // refreshing them would duplicate work done by the session's login manager.
     // If per-unlock credential refresh (Kerberos tickets, pam_gnome_keyring)
     // is ever desired, hook it here with PAM_ESTABLISH_CRED.
+    //
+    // pam_acct_mgmt is intentionally NOT called: the PAM stack (`auth include
+    // login`) has no `account` module, and pam_unix(account) requires setuid
+    // root for /etc/shadow. Lockout/faillock and policy checks happen inside
+    // the inherited auth stack via pam_faillock. See DECISIONS.md 2026-04-30.
     let auth_ret = unsafe { pam_authenticate(handle, 0) };
-    let acct_ret = if auth_ret == PAM_SUCCESS {
-        // Safety: handle is valid, check account restrictions
-        unsafe { pam_acct_mgmt(handle, 0) }
-    } else {
-        auth_ret
-    };
 
     // Safety: handle is valid, pam_end cleans up the PAM session
-    unsafe { pam_end(handle, acct_ret) };
+    unsafe { pam_end(handle, auth_ret) };
 
-    acct_ret == PAM_SUCCESS
-}
-
-/// Check account restrictions via PAM without authentication.
-///
-/// Used after fingerprint unlock to enforce account policies (lockout, expiry)
-/// that would otherwise be bypassed when not going through pam_authenticate.
-/// Returns true if the account is valid and allowed to log in.
-///
-/// **Precondition**: `username` must be the authenticated system user, derived
-/// via `users::get_current_user()` (which reads `getuid()`). Calling this with
-/// an attacker-controlled username is unsafe — `pam_acct_mgmt` returns SUCCESS
-/// for any valid unlocked account, giving a trivial unlock bypass.
-pub(crate) fn check_account(username: &str) -> bool {
-    let service = match CString::new("moonlock") {
-        Ok(c) => c,
-        Err(_) => return false,
-    };
-
-    let username_cstr = match CString::new(username) {
-        Ok(c) => c,
-        Err(_) => return false,
-    };
-
-    // No password needed — we only check account status, not authenticate.
-    // PAM conv callback is required by pam_start but won't be called for acct_mgmt.
-    let empty_password = Zeroizing::new(CString::new("").unwrap());
-    let conv = PamConv {
-        conv: pam_conv_callback,
-        appdata_ptr: std::ptr::from_ref::<CString>(&empty_password) as *mut libc::c_void,
-    };
-
-    let mut handle: *mut libc::c_void = ptr::null_mut();
-
-    let ret = unsafe {
-        pam_start(
-            service.as_ptr(),
-            username_cstr.as_ptr(),
-            &conv,
-            &mut handle,
-        )
-    };
-
-    if ret != PAM_SUCCESS || handle.is_null() {
-        return false;
-    }
-
-    let acct_ret = unsafe { pam_acct_mgmt(handle, 0) };
-    unsafe { pam_end(handle, acct_ret) };
-
-    acct_ret == PAM_SUCCESS
+    auth_ret == PAM_SUCCESS
 }
 
 #[cfg(test)]
@@ -295,16 +242,4 @@ mod tests {
         let result = authenticate("", "password");
         assert!(!result);
     }
-
-    #[test]
-    fn check_account_empty_username_fails() {
-        let result = check_account("");
-        assert!(!result);
-    }
-
-    #[test]
-    fn check_account_null_byte_username_fails() {
-        let result = check_account("user\0name");
-        assert!(!result);
-    }
 }

src/config.rs

@@ -72,8 +72,11 @@ pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
 pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
     if let Some(ref bg) = config.background_path {
         let path = PathBuf::from(bg);
-        if let Ok(meta) = path.symlink_metadata() {
-            if meta.is_file() && !meta.file_type().is_symlink() { return Some(path); }
+        if let Ok(meta) = path.symlink_metadata()
+            && meta.is_file()
+            && !meta.file_type().is_symlink()
+        {
+            return Some(path);
         }
     }
     if moonarch_wallpaper.is_file() { return Some(moonarch_wallpaper.to_path_buf()); }

src/fingerprint.rs

@@ -175,29 +175,6 @@ impl FingerprintListener {
         Self::begin_verification(listener, username).await;
     }
 
-    /// Resume fingerprint verification after a transient interruption (e.g. failed
-    /// PAM account check). Reuses previously stored callbacks. Re-claims the device
-    /// and restarts verification from scratch. Awaits any in-flight VerifyStop +
-    /// Release before re-claiming the device so fprintd does not reject the Claim
-    /// while the previous session is still being torn down.
-    pub async fn resume_async(
-        listener: &Rc<RefCell<FingerprintListener>>,
-        username: &str,
-    ) {
-        // Drain in-flight cleanup so the device is actually released before Claim.
-        // Without this, a fast resume after on_verify_status's fire-and-forget
-        // cleanup races the Release call and fprintd returns "already claimed".
-        let proxy = listener.borrow_mut().take_cleanup_proxy();
-        if let Some(proxy) = proxy {
-            Self::perform_dbus_cleanup(proxy).await;
-        }
-        // Deliberately do NOT reset failed_attempts here. An attacker with sensor
-        // control could otherwise cycle verify-match → check_account fail → resume,
-        // and the 10-attempt cap would never trigger. The counter decays only via
-        // a fresh lock session (listener construction).
-        Self::begin_verification(listener, username).await;
-    }
-
     /// Claim device, start verification, and connect D-Bus signal handler.
     /// Assumes device_proxy is set and callbacks are already stored.
     async fn begin_verification(
@@ -366,11 +343,6 @@ impl FingerprintListener {
 
     /// Disconnect the signal handler and clear running flags. Returns the proxy
     /// the caller should use for the async D-Bus cleanup (VerifyStop + Release).
-    ///
-    /// Split into a sync part (signal disconnect, flags) and an async part
-    /// (`perform_dbus_cleanup`) so callers can either spawn the async work
-    /// fire-and-forget (via `cleanup_dbus`) or await it to serialize with a
-    /// subsequent Claim (via `resume_async`).
     fn take_cleanup_proxy(&mut self) -> Option<gio::DBusProxy> {
         self.running = false;
         self.running_flag.set(false);

src/lockscreen.rs

@@ -24,7 +24,6 @@ use crate::users;
 pub struct LockscreenHandles {
     pub window: gtk::ApplicationWindow,
     pub fp_label: gtk::Label,
-    pub password_entry: gtk::PasswordEntry,
     pub unlock_callback: Rc<dyn Fn()>,
     pub username: String,
     state: Rc<RefCell<LockscreenState>>,
@@ -67,7 +66,6 @@ pub fn create_lockscreen_window(
             return LockscreenHandles {
                 window,
                 fp_label,
-                password_entry: gtk::PasswordEntry::new(),
                 unlock_callback,
                 username: String::new(),
                 state: Rc::new(RefCell::new(LockscreenState {
@@ -170,55 +168,17 @@ pub fn create_lockscreen_window(
     power_box.set_margin_end(16);
     power_box.set_margin_bottom(16);
 
-    let reboot_btn = gtk::Button::new();
-    reboot_btn.set_icon_name("system-reboot-symbolic");
-    reboot_btn.add_css_class("power-button");
-    reboot_btn.set_tooltip_text(Some(strings.reboot_tooltip));
-    reboot_btn.connect_clicked(clone!(
-        #[weak]
-        confirm_area,
-        #[strong]
-        confirm_box,
-        #[weak]
-        error_label,
-        move |_| {
-            show_power_confirm(
-                strings.reboot_confirm,
-                power::reboot,
-                strings.reboot_failed,
-                strings,
-                &confirm_area,
-                &confirm_box,
-                &error_label,
-            );
-        }
-    ));
-    power_box.append(&reboot_btn);
-
-    let shutdown_btn = gtk::Button::new();
-    shutdown_btn.set_icon_name("system-shutdown-symbolic");
-    shutdown_btn.add_css_class("power-button");
-    shutdown_btn.set_tooltip_text(Some(strings.shutdown_tooltip));
-    shutdown_btn.connect_clicked(clone!(
-        #[weak]
-        confirm_area,
-        #[strong]
-        confirm_box,
-        #[weak]
-        error_label,
-        move |_| {
-            show_power_confirm(
-                strings.shutdown_confirm,
-                power::shutdown,
-                strings.shutdown_failed,
-                strings,
-                &confirm_area,
-                &confirm_box,
-                &error_label,
-            );
-        }
-    ));
-    power_box.append(&shutdown_btn);
+    for action in power_actions() {
+        let button = create_power_button(
+            action,
+            strings,
+            &power_box,
+            &confirm_area,
+            &confirm_box,
+            &error_label,
+        );
+        power_box.append(&button);
+    }
 
     overlay.add_overlay(&power_box);
 
@@ -395,7 +355,6 @@ pub fn create_lockscreen_window(
     LockscreenHandles {
         window,
         fp_label,
-        password_entry: password_entry.clone(),
         unlock_callback,
         username: user.username,
         state: state.clone(),
@@ -427,52 +386,16 @@ pub fn start_fingerprint(
     let unlock_cb_fp = handles.unlock_callback.clone();
 
     let fp_rc_success = fp_rc.clone();
-    let fp_username = handles.username.clone();
     let on_success = move || {
         let label = fp_label_success.clone();
         let cb = unlock_cb_fp.clone();
         let fp = fp_rc_success.clone();
-        let username = fp_username.clone();
         glib::idle_add_local_once(move || {
             let strings = load_strings(None);
             label.set_text(strings.fingerprint_success);
             label.add_css_class("success");
-            // stop() is idempotent — cleanup_dbus() already ran inside on_verify_status,
-            // but this mirrors the PAM success path for defense-in-depth.
             fp.borrow_mut().stop();
-
-            // Enforce PAM account policies (lockout, expiry) before unlocking.
-            // Fingerprint auth bypasses pam_authenticate, so we must explicitly
-            // check account restrictions via pam_acct_mgmt.
-            glib::spawn_future_local(async move {
-                let user = username.clone();
-                let result = gio::spawn_blocking(move || {
-                    auth::check_account(&user)
-                }).await;
-                match result {
-                    Ok(true) => cb(),
-                    _ => {
-                        log::error!("PAM account check failed after fingerprint auth");
-                        let strings = load_strings(None);
-                        label.set_text(strings.wrong_password);
-                        label.remove_css_class("success");
-                        label.add_css_class("failed");
-                        // Restart FP verification after delay — the failure may be
-                        // transient (e.g. PAM module timeout). If the account is truly
-                        // locked, check_account will fail again on next match.
-                        glib::timeout_add_local_once(
-                            std::time::Duration::from_secs(2),
-                            move || {
-                                label.set_text(load_strings(None).fingerprint_prompt);
-                                label.remove_css_class("failed");
-                                glib::spawn_future_local(async move {
-                                    FingerprintListener::resume_async(&fp, &username).await;
-                                });
-                            },
-                        );
-                    }
-                }
-            });
+            cb();
         });
     };
 
@@ -519,6 +442,23 @@ pub fn start_fingerprint(
     });
 }
 
+/// Read a file with O_NOFOLLOW so a symlink swapped in after a prior
+/// stat-based check (TOCTOU) fails the open with ELOOP instead of being
+/// followed. Shared by the wallpaper and avatar loads — the two file reads
+/// on the lock path.
+fn read_file_nofollow(path: &Path) -> std::io::Result<Vec<u8>> {
+    use std::io::Read;
+    use std::os::unix::fs::OpenOptionsExt;
+
+    let mut file = std::fs::OpenOptions::new()
+        .read(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(path)?;
+    let mut bytes = Vec::new();
+    file.read_to_end(&mut bytes)?;
+    Ok(bytes)
+}
+
 /// Load the wallpaper as a texture once, for sharing across all windows.
 /// Returns None if no wallpaper path is provided or the file cannot be loaded.
 /// Blur is applied at render time via GPU (GskBlurNode), not here.
@@ -527,25 +467,13 @@ pub fn start_fingerprint(
 /// symlink check in `resolve_background_path_with` and this read. If the path
 /// was swapped for a symlink after the check, `open` fails with ELOOP.
 pub fn load_background_texture(bg_path: &Path) -> Option<gdk::Texture> {
-    use std::io::Read;
-    use std::os::unix::fs::OpenOptionsExt;
-
-    let mut file = match std::fs::OpenOptions::new()
-        .read(true)
-        .custom_flags(libc::O_NOFOLLOW)
-        .open(bg_path)
-    {
-        Ok(f) => f,
+    let bytes = match read_file_nofollow(bg_path) {
+        Ok(b) => b,
         Err(e) => {
-            log::warn!("Failed to open wallpaper {}: {e}", bg_path.display());
+            log::warn!("Failed to read wallpaper {}: {e}", bg_path.display());
             return None;
         }
     };
-    let mut bytes = Vec::new();
-    if let Err(e) = file.read_to_end(&mut bytes) {
-        log::warn!("Failed to read wallpaper {}: {e}", bg_path.display());
-        return None;
-    }
     let glib_bytes = glib::Bytes::from_owned(bytes);
     match gdk::Texture::from_bytes(&glib_bytes) {
         Ok(texture) => Some(texture),
@@ -572,21 +500,19 @@ fn create_background_picture(
     background.set_hexpand(true);
     background.set_vexpand(true);
 
-    if let Some(sigma) = blur_radius {
-        if sigma > 0.0 {
-            let texture = texture.clone();
-            let cache = blur_cache.clone();
-            background.connect_realize(move |picture| {
-                if let Some(ref cached) = *cache.borrow() {
-                    picture.set_paintable(Some(cached));
-                    return;
-                }
-                if let Some(blurred) = render_blurred_texture(picture, &texture, sigma) {
-                    picture.set_paintable(Some(&blurred));
-                    *cache.borrow_mut() = Some(blurred);
-                }
-            });
-        }
+    if let Some(sigma) = blur_radius.filter(|s| *s > 0.0) {
+        let texture = texture.clone();
+        let cache = blur_cache.clone();
+        background.connect_realize(move |picture| {
+            if let Some(ref cached) = *cache.borrow() {
+                picture.set_paintable(Some(cached));
+                return;
+            }
+            if let Some(blurred) = render_blurred_texture(picture, &texture, sigma) {
+                picture.set_paintable(Some(&blurred));
+                *cache.borrow_mut() = Some(blurred);
+            }
+        });
     }
 
     background
@@ -662,18 +588,25 @@ fn set_avatar_from_file(
     image.set_icon_name(Some("avatar-default-symbolic"));
 
     let display_path = path.to_path_buf();
-    let file = gio::File::for_path(path);
+    let read_path = path.to_path_buf();
     let image_clone = image.clone();
     let cache_clone = cache.clone();
 
     glib::spawn_future_local(async move {
-        let stream = match file.read_future(glib::Priority::default()).await {
-            Ok(s) => s,
-            Err(e) => {
+        // Read with O_NOFOLLOW on a blocking thread to close the TOCTOU window
+        // between the symlink check in users::get_avatar_path_with and this open.
+        let bytes = match gio::spawn_blocking(move || read_file_nofollow(&read_path)).await {
+            Ok(Ok(b)) => b,
+            Ok(Err(e)) => {
                 log::warn!("Failed to open avatar {}: {e}", display_path.display());
                 return;
             }
+            Err(_) => {
+                log::warn!("Avatar read task failed for {}", display_path.display());
+                return;
+            }
         };
+        let stream = gio::MemoryInputStream::from_bytes(&glib::Bytes::from_owned(bytes));
         match Pixbuf::from_stream_at_scale_future(&stream, AVATAR_SIZE, AVATAR_SIZE, true).await {
             Ok(pixbuf) => {
                 let texture = gdk::Texture::for_pixbuf(&pixbuf);
@@ -724,23 +657,84 @@ fn set_default_avatar(
     image.set_icon_name(Some("avatar-default-symbolic"));
 }
 
+/// Definition for a single power-action button (reboot, shutdown).
+/// Couples icon, prompt, error text and action so a button cannot be wired
+/// with a mismatched prompt/action pair. Mirrors moonset's `ActionDef`.
+#[derive(Clone, Copy)]
+struct PowerAction {
+    icon_name: &'static str,
+    tooltip_attr: fn(&Strings) -> &'static str,
+    confirm_attr: fn(&Strings) -> &'static str,
+    error_attr: fn(&Strings) -> &'static str,
+    action_fn: fn() -> Result<(), PowerError>,
+}
+
+/// The power actions offered on the lockscreen.
+fn power_actions() -> [PowerAction; 2] {
+    [
+        PowerAction {
+            icon_name: "system-reboot-symbolic",
+            tooltip_attr: |s| s.reboot_tooltip,
+            confirm_attr: |s| s.reboot_confirm,
+            error_attr: |s| s.reboot_failed,
+            action_fn: power::reboot,
+        },
+        PowerAction {
+            icon_name: "system-shutdown-symbolic",
+            tooltip_attr: |s| s.shutdown_tooltip,
+            confirm_attr: |s| s.shutdown_confirm,
+            error_attr: |s| s.shutdown_failed,
+            action_fn: power::shutdown,
+        },
+    ]
+}
+
+/// Build a power-action icon button wired to the confirmation flow.
+fn create_power_button(
+    action: PowerAction,
+    strings: &'static Strings,
+    power_box: &gtk::Box,
+    confirm_area: &gtk::Box,
+    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
+    error_label: &gtk::Label,
+) -> gtk::Button {
+    let button = gtk::Button::new();
+    button.set_icon_name(action.icon_name);
+    button.add_css_class("power-button");
+    button.set_tooltip_text(Some((action.tooltip_attr)(strings)));
+    button.connect_clicked(clone!(
+        #[weak]
+        power_box,
+        #[weak]
+        confirm_area,
+        #[strong]
+        confirm_box,
+        #[weak]
+        error_label,
+        move |_| {
+            show_power_confirm(action, strings, &power_box, &confirm_area, &confirm_box, &error_label);
+        }
+    ));
+    button
+}
+
 /// Show inline power confirmation.
 fn show_power_confirm(
-    message: &'static str,
-    action_fn: fn() -> Result<(), PowerError>,
-    error_message: &'static str,
+    action: PowerAction,
     strings: &'static Strings,
+    power_box: &gtk::Box,
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
 ) {
     dismiss_power_confirm(confirm_area, confirm_box);
+    error_label.set_visible(false);
 
     let new_box = gtk::Box::new(gtk::Orientation::Vertical, 8);
     new_box.set_halign(gtk::Align::Center);
     new_box.set_margin_top(16);
 
-    let confirm_label = gtk::Label::new(Some(message));
+    let confirm_label = gtk::Label::new(Some((action.confirm_attr)(strings)));
     confirm_label.add_css_class("confirm-label");
     new_box.append(&confirm_label);
 
@@ -750,6 +744,8 @@ fn show_power_confirm(
     let yes_btn = gtk::Button::with_label(strings.confirm_yes);
     yes_btn.add_css_class("confirm-yes");
     yes_btn.connect_clicked(clone!(
+        #[weak]
+        power_box,
         #[weak]
         confirm_area,
         #[strong]
@@ -757,8 +753,7 @@ fn show_power_confirm(
         #[weak]
         error_label,
         move |_| {
-            dismiss_power_confirm(&confirm_area, &confirm_box);
-            execute_power_action(action_fn, error_message, &error_label);
+            execute_power_action(action, strings, &power_box, &confirm_area, &confirm_box, &error_label);
         }
     ));
     button_row.append(&yes_btn);
@@ -789,28 +784,44 @@ fn dismiss_power_confirm(confirm_area: &gtk::Box, confirm_box: &Rc<RefCell<Optio
     }
 }
 
-/// Execute a power action in a background thread.
+/// Execute a power action in a background thread, guarding against re-trigger.
 fn execute_power_action(
-    action_fn: fn() -> Result<(), PowerError>,
-    error_message: &'static str,
+    action: PowerAction,
+    strings: &'static Strings,
+    power_box: &gtk::Box,
+    confirm_area: &gtk::Box,
+    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
 ) {
+    dismiss_power_confirm(confirm_area, confirm_box);
+
+    let action_fn = action.action_fn;
+    let error_message = (action.error_attr)(strings);
+
+    // Desensitize the power buttons so a double-click or keyboard repeat cannot
+    // fire the same action twice while it is in flight.
+    power_box.set_sensitive(false);
+
     glib::spawn_future_local(clone!(
+        #[weak]
+        power_box,
         #[weak]
         error_label,
         async move {
-            let result = gio::spawn_blocking(move || action_fn()).await;
+            let result = gio::spawn_blocking(action_fn).await;
             match result {
                 Ok(Ok(())) => {}
                 Ok(Err(e)) => {
                     log::error!("Power action failed: {e}");
                     error_label.set_text(error_message);
                     error_label.set_visible(true);
+                    power_box.set_sensitive(true);
                 }
                 Err(_) => {
                     log::error!("Power action panicked");
                     error_label.set_text(error_message);
                     error_label.set_visible(true);
+                    power_box.set_sensitive(true);
                 }
             }
         }
@@ -830,4 +841,25 @@ mod tests {
     fn avatar_size_matches_css() {
         assert_eq!(AVATAR_SIZE, 128);
     }
+
+    #[test]
+    fn read_file_nofollow_reads_regular_file() {
+        let dir = tempfile::tempdir().unwrap();
+        let file = dir.path().join("avatar.png");
+        std::fs::write(&file, b"avatar-bytes").unwrap();
+        assert_eq!(read_file_nofollow(&file).unwrap(), b"avatar-bytes");
+    }
+
+    #[test]
+    fn read_file_nofollow_rejects_symlink() {
+        use std::os::unix::fs::symlink;
+        let dir = tempfile::tempdir().unwrap();
+        let target = dir.path().join("secret");
+        std::fs::write(&target, b"secret").unwrap();
+        let link = dir.path().join("avatar.png");
+        symlink(&target, &link).unwrap();
+        // O_NOFOLLOW makes the open fail with ELOOP instead of following the link.
+        let err = read_file_nofollow(&link).unwrap_err();
+        assert_eq!(err.raw_os_error(), Some(libc::ELOOP));
+    }
 }

src/main.rs

@@ -12,7 +12,6 @@ mod users;
 use gdk4 as gdk;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
-use gtk4_session_lock;
 use std::cell::{Cell, RefCell};
 use std::rc::Rc;
 
@@ -75,9 +74,12 @@ fn activate_with_session_lock(
     // Shared unlock callback — unlocks session and quits.
     // Guard prevents double-unlock if PAM and fingerprint succeed simultaneously.
     let lock_clone = lock.clone();
-    let app_clone = app.clone();
     let already_unlocked = Rc::new(Cell::new(false));
     let au = already_unlocked.clone();
+    // unlock() only. The library destroys the lock windows itself when the lock ends,
+    // and the ::unlocked handler quits the app afterwards. Calling app.quit() here too
+    // double-destroyed the windows (their surface was already gone) and segfaulted
+    // gtk_window_destroy. Matches the upstream gtk4-session-lock example.
     let unlock_callback: Rc<dyn Fn()> = Rc::new(move || {
         if au.get() {
             log::debug!("Unlock already triggered, ignoring duplicate");
@@ -85,7 +87,6 @@ fn activate_with_session_lock(
         }
         au.set(true);
         lock_clone.unlock();
-        app_clone.quit();
     });
 
     // Shared caches for multi-monitor — first monitor renders, rest reuse
@@ -147,6 +148,16 @@ fn activate_with_session_lock(
         }
     ));
 
+    // Quit only after the library finishes unlocking (::unlocked fires after the lock
+    // ends). gtk4-session-lock destroys the lock windows itself at lock-end; quitting
+    // earlier — or destroying windows ourselves — races that teardown and segfaults
+    // gtk_window_destroy on an already-gone surface. Mirrors the upstream example.
+    lock.connect_unlocked(glib::clone!(
+        #[weak]
+        app,
+        move |_| app.quit()
+    ));
+
     lock.lock();
 
     // Async fprintd initialization — runs after windows are visible

src/users.rs

@@ -12,7 +12,6 @@ pub struct User {
     pub username: String,
     pub display_name: String,
     pub home: PathBuf,
-    pub uid: u32,
 }
 
 pub fn get_current_user() -> Option<User> {
@@ -29,7 +28,7 @@ pub fn get_current_user() -> Option<User> {
         let first = gecos.split(',').next().unwrap_or("");
         if first.is_empty() { nix_user.name.clone() } else { first.to_string() }
     } else { nix_user.name.clone() };
-    Some(User { username: nix_user.name, display_name, home: nix_user.dir, uid: uid.as_raw() })
+    Some(User { username: nix_user.name, display_name, home: nix_user.dir })
 }
 
 pub fn get_avatar_path(home: &Path, username: &str) -> Option<PathBuf> {
@@ -39,14 +38,20 @@ pub fn get_avatar_path(home: &Path, username: &str) -> Option<PathBuf> {
 pub fn get_avatar_path_with(home: &Path, username: &str, accountsservice_dir: &Path) -> Option<PathBuf> {
     // ~/.face takes priority — single stat via symlink_metadata to avoid TOCTOU
     let face = home.join(".face");
-    if let Ok(meta) = face.symlink_metadata() {
-        if meta.is_file() && !meta.file_type().is_symlink() { return Some(face); }
+    if let Ok(meta) = face.symlink_metadata()
+        && meta.is_file()
+        && !meta.file_type().is_symlink()
+    {
+        return Some(face);
     }
     // AccountsService icon
     if accountsservice_dir.exists() {
         let icon = accountsservice_dir.join(username);
-        if let Ok(meta) = icon.symlink_metadata() {
-            if meta.is_file() && !meta.file_type().is_symlink() { return Some(icon); }
+        if let Ok(meta) = icon.symlink_metadata()
+            && meta.is_file()
+            && !meta.file_type().is_symlink()
+        {
+            return Some(icon);
         }
     }
     None