Bug 246107
Summary: | allow non root users | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | jmccann | ||||
Component: | thinkfinger | Assignee: | Julian Sikorski <belegdol> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7 | CC: | cschalle, cweyl, jplans, mikeb, rstrode | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 0.3-5.fc7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-10-08 14:56:58 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 300811, 305801 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
jmccann
2007-06-28 15:41:17 UTC
Erm, where? um, coming Hi Jon, Do you have a link to the discussion? Hey, http://thread.gmane.org/gmane.linux.drivers.thinkfinger/328/focus=330 http://thread.gmane.org/gmane.linux.drivers.thinkfinger/327 Jose, what do you think? That patch is good to me, I wanted to reply to Timo about it, but never had the time for it. Let me keep this in NEEDINFO and I chase upstream up on this. Jon, apologies I haven't come back to you on that thread in time. Jose OK. I probably won't be able to commit that until 4th of August due to problems with proxy, so feel free to do that yourself. Good that you're planning to chase upstream, since maintaining non-trivial packages that upstream refuses to incorporate sooner or later becomes a PITA I would prefer to avoid (vide caillon and xchat case). I mean non-trivial patches, of course. Sorry for the confusion. Any update on this? I'd love to see gnome-screensaver working with the fingerprint reader in F7. OK. Upstream seems to be dead. Anyway, let this patch be the swan song of the package. That's a little disappointing. Any reason not to rebuild the package with the patches provided by William? It seems that upstream adoption was the only thing holding that up, and if there is no longer an active upstream it shouldn't be an issue anymore. I spoke with Timo briefly at GUADEC. He said he didn't want these patches because he is planning on completely redesigning thinkfinger. So, we're sorta in limbo... Also, I guess these patches should be updated to not use pam-console. Are you willing to update them? I am working on incorporating the current version as we speak, but I can wait until you update them. Also, could you also make a diff against autotools result files? Running autoconf and friends at %build is discouraged. Unfortunately, I won't have a chance to work on this in the near future. Bummer. I can't fix the patches either. Given that, you think it's worth merging them in their current form? What needs to be fixed? You just want to remove use of automake/autoconf at build time? I could take a stab at that. I can handle that. The problem is the pam console removal, whatever that means. I think that means not relying on pam_console to set the correct permissions on devices, since it's due to be removed from Fedora, in favor of ACLs managed by HAL. See http://fedoraproject.org/wiki/Releases/FeatureRemovePAMConsole OK, now I know what the problem is. I still can't fix it, because I can't write code. From this point, we have two possible routes: - I incorporate patches in their current form, ignoring pam_console issues, or - I wait until someone adapts the patches to use the console. 2nd solution does not exclude the first one, the only question is whether it's worth the time. Created attachment 189001 [details]
fdi file to enable ACLs of the fingerprint reader device to be managed by HAL
Here's an (untested) fdi file which should enable HAL to set ACLs for the
fingerprint reader device so users logged-in on the console have access.
Thanks. Once the source code patches get updated, I'll merge that into Fedora immediately. I still need to get permissions set on /dev/input/uinput, which is a little tricky. This needs to be writable by the console user for gnome-screensaver to use the fingerprint reader. /dev/input/uinput doesn't currently show up in HAL, so I'm going to need a combination of udev rules and HAL fdi to set the permissions correctly. I'll see about writing and testing something in the next couple of days. Are there security issues with giving multiple non-root users write access to /dev/input/uinput? Since it can be used to simulate user input, could this be used to perform actions on behalf of another user? Awesome, good luck! A new srpm is available here: http://mikeb.fedorapeople.org/thinkfinger/thinkfinger-0.3-3.F7.ACS.fc7.src.rpm And testable binaries are available here: http://koji.fedoraproject.org/koji/taskinfo?taskID=168646 This package includes patches to make hal manage ACLs for the fingerprint reader device, and to disable use of autoconf in build. It should be ready to go for Fedora once your fix the Release: to be the correct value. Note that this package does not completely remove the dependency on pam_console. hal is unable to manage ACLs on /dev/input/uinput, and the code changes required to do so will not be added. ACL management is being moved from hal to udev, and at that point we will be able to remove the pam_console dependency. Also, this package will not work out-of-the-box at the moment. SELinux is preventing pam_console from setting the ownership of uinput. I've filed a bug, and hopefully it'll be fixed soon. The bug is: https://bugzilla.redhat.com/show_bug.cgi?id=300811 Once that bug is fixed, the only thing that should be required for fingerprint reader support, including gnome-screensaver integration, is the one-line change to /etc/pam.d/system-auth. OK, changes imported and built for f8 and f7. I'll push the appropriate update once selinux is ready. Do you think this will work under fc6? Jose: did you make any contact with upstream regarding these? Or maybe do you know what exactly the status of upstream is? Thanks for everyone involved. Does this require some changes screensaver-wise? I installed selinux-policy-2.6.4-44.fc7 an neither gnome-screensaver nor xscreensaver seem to care about me swiping my finger to unlock the screen. Got it. Fingerprints need to be re-taken in order to set ACLs. Now it works. Maybe we could use some rpm magic to do that automatically? thinkfinger-0.3-5.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. thinkfinger-0.3-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. |