It was found that fprintd saves fingerprint data, in ISO/IEC 19794-2 format and without any encryption, to a file with root permission on the host. This could allow a privileged process to access the stored fingerprint. Upstream Bug: https://gitlab.freedesktop.org/libfprint/fprintd/issues/16
Created fprintd tracking bugs for this issue: Affects: fedora-all [bug 1693357]
Acknowledgments: Name: Seong-Joong Kim
The fprintf daemon in Red Hat Enterprise Linux is contained by the default installed selinux policy. This prevents other applications (which dont need access to fingerprint data) from accessing this fingerprint data and therefore ensures a good level of security for the same. Also as per upstream: https://gitlab.freedesktop.org/libfprint/fprintd/issues/16#note_141207 such an LSM based security system should be enough to safeguard this data. And there is no short term plan for any other implementation. Based on above, Red Hat Product Security does not believe this to be a security flaw.
I don’t think it would be as good. Particularly, desktop users usually disable or change it to permissive mode in SELinux. Instead, how about trying to add user authentication while attempting to access the fingerprint data? It would be possible to apply it since the fingerprint data is separately located in different path (e.g., /var/lib/username/device-id/XXX).
Under such a scenario, I think it is not justifiable to shift protection responsibility to OS entirely. Instead, we need to devise a data encryption/protection scheme at least. This issue can be even more important than password exposure in cleartext. Because once fingerprint has been leaked, victims are leaked for the rest of life since it lasts for a life. What do you think of it?