Bug 246107

Summary: allow non root users
Product: [Fedora] Fedora Reporter: jmccann
Component: thinkfingerAssignee: Julian Sikorski <belegdol>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: cschalle, cweyl, jplans, mikeb, rstrode
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.3-5.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-08 14:56:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 300811, 305801    
Bug Blocks:    
Attachments:
Description Flags
fdi file to enable ACLs of the fingerprint reader device to be managed by HAL none

Description jmccann 2007-06-28 15:41:17 UTC
Currently thinkfinger doesn't work for non-root users.  Due to this it doesn't
work with gnome-screensaver etc.

Here is an updated package that does work.  It hasn't yet been adopted by
upstream because they thought it was "too fedora specific".  But it works pretty
well.

Comment 1 Julian Sikorski 2007-06-28 16:10:06 UTC
Erm, where?

Comment 2 jmccann 2007-06-28 16:19:28 UTC
um, coming

Comment 4 Ray Strode [halfline] 2007-06-28 17:27:23 UTC
Hi Jon,

Do you have a link to the discussion?

Comment 6 Julian Sikorski 2007-07-16 12:15:14 UTC
Jose, what do you think?

Comment 7 Jose Plans 2007-07-16 12:53:45 UTC
That patch is good to me, I wanted to reply to Timo about it, but never had the
time for it. Let me keep this in NEEDINFO and I chase upstream up on this.
Jon, apologies I haven't come back to you on that thread in time.

    Jose

Comment 8 Julian Sikorski 2007-07-16 13:00:25 UTC
OK. I probably won't be able to commit that until 4th of August due to problems
with proxy, so feel free to do that yourself.
Good that you're planning to chase upstream, since maintaining non-trivial
packages that upstream refuses to incorporate sooner or later becomes a PITA I
would prefer to avoid (vide caillon and xchat case).

Comment 9 Julian Sikorski 2007-07-16 13:04:42 UTC
I mean non-trivial patches, of course. Sorry for the confusion.

Comment 10 Mike Bonnet 2007-08-16 14:47:23 UTC
Any update on this?  I'd love to see gnome-screensaver working with the
fingerprint reader in F7.


Comment 11 Julian Sikorski 2007-09-05 17:23:17 UTC
OK. Upstream seems to be dead. Anyway, let this patch be the swan song of the
package.

Comment 12 Mike Bonnet 2007-09-05 17:49:46 UTC
That's a little disappointing.  Any reason not to rebuild the package with the
patches provided by William?  It seems that upstream adoption was the only thing
holding that up, and if there is no longer an active upstream it shouldn't be an
issue anymore.


Comment 13 jmccann 2007-09-05 18:20:17 UTC
I spoke with Timo briefly at GUADEC.  He said he didn't want these patches
because he is planning on completely redesigning thinkfinger.  So, we're sorta
in limbo...  Also, I guess these patches should be updated to not use pam-console.

Comment 14 Julian Sikorski 2007-09-05 18:42:25 UTC
Are you willing to update them? I am working on incorporating the current
version as we speak, but I can wait until you update them.

Comment 15 Julian Sikorski 2007-09-05 18:44:16 UTC
Also, could you also make a diff against autotools result files? Running
autoconf and friends at %build is discouraged.

Comment 16 jmccann 2007-09-05 18:45:23 UTC
Unfortunately, I won't have a chance to work on this in the near future.

Comment 17 Julian Sikorski 2007-09-05 18:52:07 UTC
Bummer. I can't fix the patches either. Given that, you think it's worth merging
them in their current form?

Comment 18 Mike Bonnet 2007-09-05 19:17:57 UTC
What needs to be fixed?  You just want to remove use of automake/autoconf at
build time?  I could take a stab at that.


Comment 19 Julian Sikorski 2007-09-05 19:26:03 UTC
I can handle that. The problem is the pam console removal, whatever that means.

Comment 20 Mike Bonnet 2007-09-06 16:39:16 UTC
I think that means not relying on pam_console to set the correct permissions on
devices, since it's due to be removed from Fedora, in favor of ACLs managed by
HAL.  See

http://fedoraproject.org/wiki/Releases/FeatureRemovePAMConsole


Comment 21 Julian Sikorski 2007-09-06 16:52:25 UTC
OK, now I know what the problem is. I still can't fix it, because I can't write
code. From this point, we have two possible routes:
- I incorporate patches in their current form, ignoring pam_console issues, or
- I wait until someone adapts the patches to use the console.
2nd solution does not exclude the first one, the only question is whether it's
worth the time.

Comment 22 Mike Bonnet 2007-09-06 17:14:35 UTC
Created attachment 189001 [details]
fdi file to enable ACLs of the fingerprint reader device to be managed by HAL

Here's an (untested) fdi file which should enable HAL to set ACLs for the
fingerprint reader device so users logged-in on the console have access.

Comment 23 Julian Sikorski 2007-09-06 17:28:48 UTC
Thanks. Once the source code patches get updated, I'll merge that into Fedora
immediately.

Comment 24 Mike Bonnet 2007-09-06 17:33:44 UTC
I still need to get permissions set on /dev/input/uinput, which is a little
tricky.  This needs to be writable by the console user for gnome-screensaver to
use the fingerprint reader.  /dev/input/uinput doesn't currently show up in HAL,
so I'm going to need a combination of udev rules and HAL fdi to set the
permissions correctly.  I'll see about writing and testing something in the next
couple of days.

Are there security issues with giving multiple non-root users write access to
/dev/input/uinput?  Since it can be used to simulate user input, could this be
used to perform actions on behalf of another user?


Comment 25 Julian Sikorski 2007-09-06 17:36:50 UTC
Awesome, good luck!

Comment 26 Mike Bonnet 2007-09-21 17:27:50 UTC
A new srpm is available here:

http://mikeb.fedorapeople.org/thinkfinger/thinkfinger-0.3-3.F7.ACS.fc7.src.rpm

And testable binaries are available here:

http://koji.fedoraproject.org/koji/taskinfo?taskID=168646

This package includes patches to make hal manage ACLs for the fingerprint reader
device, and to disable use of autoconf in build.  It should be ready to go for
Fedora once your fix the Release: to be the correct value.

Note that this package does not completely remove the dependency on pam_console.
 hal is unable to manage ACLs on /dev/input/uinput, and the code changes
required to do so will not be added.  ACL management is being moved from hal to
udev, and at that point we will be able to remove the pam_console dependency.

Also, this package will not work out-of-the-box at the moment.  SELinux is
preventing pam_console from setting the ownership of uinput.  I've filed a bug,
and hopefully it'll be fixed soon.  The bug is:

https://bugzilla.redhat.com/show_bug.cgi?id=300811

Once that bug is fixed, the only thing that should be required for fingerprint
reader support, including gnome-screensaver integration, is the one-line change
to /etc/pam.d/system-auth.


Comment 27 Julian Sikorski 2007-09-22 11:32:17 UTC
OK, changes imported and built for f8 and f7. I'll push the appropriate update
once selinux is ready. Do you think this will work under fc6?

Jose: did you make any contact with upstream regarding these? Or maybe do you
know what exactly the status of upstream is?

Thanks for everyone involved.

Comment 28 Julian Sikorski 2007-09-22 12:52:29 UTC
Does this require some changes screensaver-wise? I installed
selinux-policy-2.6.4-44.fc7 an neither gnome-screensaver nor xscreensaver seem
to care about me swiping my finger to unlock the screen.

Comment 29 Julian Sikorski 2007-09-22 15:51:28 UTC
Got it. Fingerprints need to be re-taken in order to set ACLs. Now it works.
Maybe we could use some rpm magic to do that automatically?

Comment 30 Fedora Update System 2007-09-28 21:20:18 UTC
thinkfinger-0.3-5.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2007-10-08 14:56:57 UTC
thinkfinger-0.3-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.