diff --git a/config.py b/config.py
index c4e5d09..b72b4bc 100644
--- a/config.py
+++ b/config.py
@@ -116,7 +116,15 @@ def _auto_detect_db_dir_linux():
     # sudo 运行时，~ 展开为 /root；回退到实际用户的 home
     sudo_user = os.environ.get("SUDO_USER")
     if sudo_user:
-        sudo_home = os.path.expanduser(f"~{sudo_user}")
+        # 验证 SUDO_USER 是合法系统用户，防止路径注入
+        import pwd
+        try:
+            pw = pwd.getpwnam(sudo_user)
+            sudo_home = pw.pw_dir
+        except KeyError:
+            sudo_home = None
+        if not sudo_home:
+            sudo_home = os.path.expanduser(f"~{sudo_user}")
         fallback = os.path.join(sudo_home, "Documents", "xwechat_files")
         if fallback not in search_roots:
             search_roots.append(fallback)
diff --git a/find_all_keys_linux.py b/find_all_keys_linux.py
index 92b0e65..6e0dce8 100644
--- a/find_all_keys_linux.py
+++ b/find_all_keys_linux.py
@@ -28,7 +28,7 @@ def _safe_readlink(path):
         return ""
 
 
-_INTERPRETERS = {"python", "python3", "bash", "sh", "zsh", "node", "perl", "ruby"}
+_INTERPRETER_PREFIXES = ("python", "bash", "sh", "zsh", "node", "perl", "ruby")
 
 
 def _is_wechat_process(pid):
@@ -44,8 +44,8 @@ def _is_wechat_process(pid):
             comm = f.read().strip()
         exe_path = _safe_readlink(f"/proc/{pid}/exe")
         exe_name = os.path.basename(exe_path)
-        # 排除脚本解释器进程（避免匹配 python3 wechat-decrypt 等）
-        if exe_name.lower() in _INTERPRETERS:
+        # 排除脚本解释器进程（避免匹配 python3.11 wechat-decrypt 等）
+        if any(exe_name.lower().startswith(p) for p in _INTERPRETER_PREFIXES):
             return False
         haystack = f"{comm} {exe_name}".lower()
         return "wechat" in haystack or "weixin" in haystack