Bug 476041 - fprintd_enroll aborts on error
fprintd_enroll aborts on error
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: fprintd (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Bastien Nocera
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-11 11:51 EST by Daniel Walsh
Modified: 2009-08-14 03:43 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-21 08:49:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2008-12-11 11:51:12 EST
Description of problem:

When I use the finger print reader with sudo, I see the following

# ls -lZ /proc/self/fd
lr-x------  root root staff_u:unconfined_r:unconfined_t:s0 0 -> /dev/pts/0
lrwx------  root root staff_u:unconfined_r:unconfined_t:s0 1 -> /dev/pts/0
lrwx------  root root staff_u:unconfined_r:unconfined_t:s0 2 -> /dev/pts/0
lr-x------  root root staff_u:unconfined_r:unconfined_t:s0 3 -> /proc/19270/fd
lr-x------  root root staff_u:unconfined_r:unconfined_t:s0 4 -> pipe:[890982]
l-wx------  root root staff_u:unconfined_r:unconfined_t:s0 5 -> pipe:[890982]

If I remove the finger print reader and become root I see

# ls -lZ /proc/self/fd
lr-x------  root root staff_u:unconfined_r:unconfined_t:s0 0 -> /dev/pts/0
lrwx------  root root staff_u:unconfined_r:unconfined_t:s0 1 -> /dev/pts/0
lrwx------  root root staff_u:unconfined_r:unconfined_t:s0 2 -> /dev/pts/0
lr-x------  root root staff_u:unconfined_r:unconfined_t:s0 3 -> /proc/19942/fd


This is causing avc messes when running with confined users in SELinux

# aud


#============= consoletype_t ==============
allow consoletype_t staff_sudo_t:fifo_file { write read };

#============= httpd_t ==============
allow httpd_t staff_sudo_t:fifo_file { write read };


This is a potential security problem depending on whether access to this fifo_file should be denied.

And it is a damn nuisance for SELinux.

The fifo_file should be closed on exec
fcntl(fd, F_SETFD, FD_CLOEXEC)

Not sure if this is a bug in pam_fprint or libfprint or libusb.
Comment 1 Jindrich Novy 2008-12-11 14:13:20 EST
libusb seems to be at fault here from the first POV. It is possibly caused by bug #273901 and the "openat" patch. Please try these packages:

http://koji.fedoraproject.org/koji/taskinfo?taskID=993823

We are sure the leak originates from there if these packages don't leak any descriptors. I will fix it as soon as you confirm to me the leak is gone with the new packages.
Comment 2 Daniel Walsh 2008-12-11 16:42:08 EST
Tried it but it did not fix the problem.

# rpm -q libusb
libusb-0.1.12-21.fc10.x86_64

# ls -lZ /proc/self/fd
lr-x------  root root staff_u:unconfined_r:unconfined_t:s0 0 -> /dev/pts/4
lrwx------  root root staff_u:unconfined_r:unconfined_t:s0 1 -> /dev/pts/4
lrwx------  root root staff_u:unconfined_r:unconfined_t:s0 2 -> /dev/pts/4
lr-x------  root root staff_u:unconfined_r:unconfined_t:s0 3 -> /proc/29662/fd
lr-x------  root root staff_u:unconfined_r:unconfined_t:s0 4 -> pipe:[1015128]
l-wx------  root root staff_u:unconfined_r:unconfined_t:s0 5 -> pipe:[1015128]
Comment 3 Bastien Nocera 2008-12-17 09:40:48 EST
Do you use pam_fprint, or pam_fprintd?

I plugged a few leaks in pam_fprintd. pam_fprint is dead in rawhide.

If you use pam_fprint, please use pam_fprintd (there's support for it in authconfig), otherwise please try:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1003496
Comment 4 Daniel Walsh 2008-12-17 10:48:04 EST
Ok I will switch to this product and try it out, if it has problems I will open a new bug.


Of course I can not check fprintd on Rawhide yet...

# fprintd-enroll 
Using device /net/reactivated/Fprint/Device/0
Enrolling right index finger.

** ERROR **: EnrollStart failed: net.reactivated.fprint.device.enroll no <-- (action, result)
aborting...
Trace/breakpoint trap
Comment 5 Bastien Nocera 2008-12-18 04:11:09 EST
It doesn't crash, it aborts on purpose. You need to be at the console, and you probably need to restart your machine, as PolicyKit (and likely D-Bus) won't notice new configuration files when installed.

Let me know if it still happens when your machine's been restarted. You can also use the "About me" preference to enroll your fingerprints.
Comment 6 Bug Zapper 2009-06-09 06:14:56 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Bastien Nocera 2009-07-21 08:49:54 EDT
No answer for > 6 months, closing.
Comment 8 Noel J. Bergman 2009-08-13 14:29:34 EDT
Bastien,

Can we re-open this?  I am seeing the same error with Fedora 11:

  #  fprintd-enroll 
  Using device /net/reactivated/Fprint/Device/0
  Enrolling right index finger.

  ** ERROR **: EnrollStart failed: net.reactivated.fprint.device.enroll no <-- (action, result)
  aborting...
  Aborted

when I first become root and then try to enroll root.  Be happy to give you whatever info you need.
Comment 9 Bastien Nocera 2009-08-14 03:43:17 EDT
(In reply to comment #8)
> Bastien,
> 
> Can we re-open this?  I am seeing the same error with Fedora 11:
> 
>   #  fprintd-enroll 
>   Using device /net/reactivated/Fprint/Device/0
>   Enrolling right index finger.
> 
>   ** ERROR **: EnrollStart failed: net.reactivated.fprint.device.enroll no <--
> (action, result)
>   aborting...
>   Aborted
> 
> when I first become root and then try to enroll root.  Be happy to give you
> whatever info you need.  

That's unrelated. The original problem with the SELinux denial is fixed.

Note You need to log in before you can comment on or make changes to this bug.