Red Hat Bugzilla – Bug 246107
allow non root users
Last modified: 2015-01-14 18:20:11 EST
Currently thinkfinger doesn't work for non-root users. Due to this it doesn't
work with gnome-screensaver etc.
Here is an updated package that does work. It hasn't yet been adopted by
upstream because they thought it was "too fedora specific". But it works pretty
Do you have a link to the discussion?
Jose, what do you think?
That patch is good to me, I wanted to reply to Timo about it, but never had the
time for it. Let me keep this in NEEDINFO and I chase upstream up on this.
Jon, apologies I haven't come back to you on that thread in time.
OK. I probably won't be able to commit that until 4th of August due to problems
with proxy, so feel free to do that yourself.
Good that you're planning to chase upstream, since maintaining non-trivial
packages that upstream refuses to incorporate sooner or later becomes a PITA I
would prefer to avoid (vide caillon and xchat case).
I mean non-trivial patches, of course. Sorry for the confusion.
Any update on this? I'd love to see gnome-screensaver working with the
fingerprint reader in F7.
OK. Upstream seems to be dead. Anyway, let this patch be the swan song of the
That's a little disappointing. Any reason not to rebuild the package with the
patches provided by William? It seems that upstream adoption was the only thing
holding that up, and if there is no longer an active upstream it shouldn't be an
I spoke with Timo briefly at GUADEC. He said he didn't want these patches
because he is planning on completely redesigning thinkfinger. So, we're sorta
in limbo... Also, I guess these patches should be updated to not use pam-console.
Are you willing to update them? I am working on incorporating the current
version as we speak, but I can wait until you update them.
Also, could you also make a diff against autotools result files? Running
autoconf and friends at %build is discouraged.
Unfortunately, I won't have a chance to work on this in the near future.
Bummer. I can't fix the patches either. Given that, you think it's worth merging
them in their current form?
What needs to be fixed? You just want to remove use of automake/autoconf at
build time? I could take a stab at that.
I can handle that. The problem is the pam console removal, whatever that means.
I think that means not relying on pam_console to set the correct permissions on
devices, since it's due to be removed from Fedora, in favor of ACLs managed by
OK, now I know what the problem is. I still can't fix it, because I can't write
code. From this point, we have two possible routes:
- I incorporate patches in their current form, ignoring pam_console issues, or
- I wait until someone adapts the patches to use the console.
2nd solution does not exclude the first one, the only question is whether it's
worth the time.
Created attachment 189001 [details]
fdi file to enable ACLs of the fingerprint reader device to be managed by HAL
Here's an (untested) fdi file which should enable HAL to set ACLs for the
fingerprint reader device so users logged-in on the console have access.
Thanks. Once the source code patches get updated, I'll merge that into Fedora
I still need to get permissions set on /dev/input/uinput, which is a little
tricky. This needs to be writable by the console user for gnome-screensaver to
use the fingerprint reader. /dev/input/uinput doesn't currently show up in HAL,
so I'm going to need a combination of udev rules and HAL fdi to set the
permissions correctly. I'll see about writing and testing something in the next
couple of days.
Are there security issues with giving multiple non-root users write access to
/dev/input/uinput? Since it can be used to simulate user input, could this be
used to perform actions on behalf of another user?
Awesome, good luck!
A new srpm is available here:
And testable binaries are available here:
This package includes patches to make hal manage ACLs for the fingerprint reader
device, and to disable use of autoconf in build. It should be ready to go for
Fedora once your fix the Release: to be the correct value.
Note that this package does not completely remove the dependency on pam_console.
hal is unable to manage ACLs on /dev/input/uinput, and the code changes
required to do so will not be added. ACL management is being moved from hal to
udev, and at that point we will be able to remove the pam_console dependency.
Also, this package will not work out-of-the-box at the moment. SELinux is
preventing pam_console from setting the ownership of uinput. I've filed a bug,
and hopefully it'll be fixed soon. The bug is:
Once that bug is fixed, the only thing that should be required for fingerprint
reader support, including gnome-screensaver integration, is the one-line change
OK, changes imported and built for f8 and f7. I'll push the appropriate update
once selinux is ready. Do you think this will work under fc6?
Jose: did you make any contact with upstream regarding these? Or maybe do you
know what exactly the status of upstream is?
Thanks for everyone involved.
Does this require some changes screensaver-wise? I installed
selinux-policy-2.6.4-44.fc7 an neither gnome-screensaver nor xscreensaver seem
to care about me swiping my finger to unlock the screen.
Got it. Fingerprints need to be re-taken in order to set ACLs. Now it works.
Maybe we could use some rpm magic to do that automatically?
thinkfinger-0.3-5.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
thinkfinger-0.3-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.