Discussion:
[Thinkfinger-devel] Thinkfinger status and future plans
Julian Sikorski
2007-09-27 15:35:57 UTC
Permalink
Hi,

as some of you might know, I, together with Jose Plans, maintain
thinkfinger in Fedora. Quite recently, Mike Bonnet, basing on the work
started by William Jon McCann, successfully managed to make thinkfinger
work for software not running as root, such as screensavers.
The patches use pam_console, hal and PolicyKit to manage permissions and
ownership.
Since the patchset is becoming quite huge, it would be nice if they
could be incorporated upstream, serving common good. It's been quite
quiet here for a while, I am starting to worry about this project being
dead :( Some people even suggested a fork, but I hope this will not be
necessary.

Regards,
Julian

P.S.
For reference, here are the relevant bugzilla entries:
https://bugzilla.redhat.com/show_bug.cgi?id=246107
https://bugzilla.redhat.com/show_bug.cgi?id=305801

Patches can be grabbed here:
http://cvs.fedoraproject.org/viewcvs/rpms/thinkfinger/devel/
Timo Hoenig
2007-09-27 18:07:02 UTC
Permalink
Hi,
Post by Julian Sikorski
Since the patchset is becoming quite huge, it would be nice if they
could be incorporated upstream, serving common good. It's been quite
quiet here for a while, I am starting to worry about this project being
dead :( Some people even suggested a fork, but I hope this will not be
necessary.
Sorry for being quite these days, but you can imagine that [1] kept me
busy. We're about to have the gold master.

Please tell those "some people" they either (a) should wait until OS
10.3 is released or (b) get immediately in contact with me.

Thanks!

Timo

[1] http://en.opensuse.org/Roadmap/10.3
Julian Sikorski
2007-09-27 19:58:24 UTC
Permalink
Post by Timo Hoenig
Hi,
Post by Julian Sikorski
Since the patchset is becoming quite huge, it would be nice if they
could be incorporated upstream, serving common good. It's been quite
quiet here for a while, I am starting to worry about this project being
dead :( Some people even suggested a fork, but I hope this will not be
necessary.
Sorry for being quite these days, but you can imagine that [1] kept me
busy. We're about to have the gold master.
Please tell those "some people" they either (a) should wait until OS
10.3 is released or (b) get immediately in contact with me.
Thanks!
Timo
[1] http://en.opensuse.org/Roadmap/10.3
Glad to be hearing from you. I perfectly understand that preparing a
distro release can be quite time-consuming. I was just starting to fear
that you got bored and quit, but luckily that's not the case. Good luck
with 10.3!

CCing Mike as he's the one who suggested the fork.

Regards,
Julian
Christian Neumair
2007-11-14 22:34:09 UTC
Permalink
Dear Timo,
Post by Timo Hoenig
Hi,
Post by Julian Sikorski
Since the patchset is becoming quite huge, it would be nice if they
could be incorporated upstream, serving common good. It's been quite
quiet here for a while, I am starting to worry about this project being
dead :( Some people even suggested a fork, but I hope this will not be
necessary.
Sorry for being quite these days, but you can imagine that [1] kept me
busy. We're about to have the gold master.
Please tell those "some people" they either (a) should wait until OS
10.3 is released or (b) get immediately in contact with me.
Do you have any plans to pick up work on thinkfinger again, now that
10.3 has been released?

My patch set has been in the queue for some months now, and I really
fear a situation where unauthorized patches are distributed.

best regards,
--
Christian Neumair <***@gnome.org>
Timo Hoenig
2007-11-15 09:39:08 UTC
Permalink
Hi!
Post by Christian Neumair
Do you have any plans to pick up work on thinkfinger again, now that
10.3 has been released?
Yes, I'm about to scan the list and commit the missing patches. I was
on vacation over the last weeks, thus the delay.

Timo
Julian Sikorski
2007-11-15 14:12:15 UTC
Permalink
Post by Timo Hoenig
Hi!
Post by Christian Neumair
Do you have any plans to pick up work on thinkfinger again, now that
10.3 has been released?
Yes, I'm about to scan the list and commit the missing patches. I was
on vacation over the last weeks, thus the delay.
Timo
Would you care to take a look at the patches mentioned in the first
email in this thread? They make thinkfinger work with gnome-screensaver.

Regards,
Julian
Timo Hoenig
2007-11-15 14:31:57 UTC
Permalink
Hi!
Post by Julian Sikorski
Would you care to take a look at the patches mentioned in the first
email in this thread? They make thinkfinger work with gnome-screensaver.
You're referring to the ACL patches? Are you sure that they are still
required in combination with Christian's patches?

Btw. Earlier today I've sent a private mail to Jon asking him if he
wants the ACL patches to be included.

Thanks,

Timo
Julian Sikorski
2007-11-15 17:07:52 UTC
Permalink
Post by Timo Hoenig
Hi!
Post by Julian Sikorski
Would you care to take a look at the patches mentioned in the first
email in this thread? They make thinkfinger work with gnome-screensaver.
You're referring to the ACL patches? Are you sure that they are still
required in combination with Christian's patches?
Btw. Earlier today I've sent a private mail to Jon asking him if he
wants the ACL patches to be included.
Thanks,
Timo
I don't think that acl patches are needed anymore, given that
fingerprints are stored under $HOME. How about the device permissions part?

Regards,
Julian
Timo Hoenig
2007-11-15 17:24:57 UTC
Permalink
Hi!
Post by Julian Sikorski
I don't think that acl patches are needed anymore, given that
fingerprints are stored under $HOME. How about the device permissions part?
The device permissions are part of each distribution's configuration. I
see no point in shipping a default udev rule with the ThinkFinger tar
ball.

We shall not make the device world-writable by sneaking in a udev rule
at installation time.

However, we might want to add an instruction on how to set up a udev
rule and add this to the documentation and/or shipping a example rule.

Thanks,

Timo
Julian Sikorski
2007-11-15 17:30:17 UTC
Permalink
Post by Timo Hoenig
Hi!
Post by Julian Sikorski
I don't think that acl patches are needed anymore, given that
fingerprints are stored under $HOME. How about the device permissions part?
The device permissions are part of each distribution's configuration. I
see no point in shipping a default udev rule with the ThinkFinger tar
ball.
We shall not make the device world-writable by sneaking in a udev rule
at installation time.
However, we might want to add an instruction on how to set up a udev
rule and add this to the documentation and/or shipping a example rule.
Thanks,
Timo
I think you are right - not every distro out there might be ready for
PolicyKit and hal-managed permissions. I'll just keep the patches in the
RPM then.

Regards,
Julian
Justin Dugger
2007-11-15 20:36:28 UTC
Permalink
Post by Julian Sikorski
Post by Timo Hoenig
Hi!
Post by Julian Sikorski
Would you care to take a look at the patches mentioned in the first
email in this thread? They make thinkfinger work with gnome-screensaver.
You're referring to the ACL patches? Are you sure that they are still
required in combination with Christian's patches?
Btw. Earlier today I've sent a private mail to Jon asking him if he
wants the ACL patches to be included.
Thanks,
Timo
I don't think that acl patches are needed anymore, given that
fingerprints are stored under $HOME. How about the device permissions part?
Is $HOME really an acceptable place to store user auth information?
I've been avoiding that patch
because I'm not sure.

Justin Dugger
Timo Hoenig
2007-11-15 21:00:51 UTC
Permalink
Hi Justin!
Post by Justin Dugger
Is $HOME really an acceptable place to store user auth information?
Why not? Do you have any particular concern on your mind?
Post by Justin Dugger
I've been avoiding that patch because I'm not sure.
I talked to Ludwig about the patch earlier today, and he did not have
any concerns. It might raise issues when using pam_thinkfinger combined
with NFS homes, but for that, we still have the fallback to use
$sysconfdir/pam_thinkfinger/$USER.bir .

Thanks,

Timo
Julian Sikorski
2007-11-15 21:11:43 UTC
Permalink
Post by Timo Hoenig
Hi Justin!
Post by Justin Dugger
Is $HOME really an acceptable place to store user auth information?
Why not? Do you have any particular concern on your mind?
Post by Justin Dugger
I've been avoiding that patch because I'm not sure.
I talked to Ludwig about the patch earlier today, and he did not have
any concerns. It might raise issues when using pam_thinkfinger combined
with NFS homes, but for that, we still have the fallback to use
$sysconfdir/pam_thinkfinger/$USER.bir .
Thanks,
Timo
Would it make sense to add acls to these files then?
Timo Hoenig
2007-11-15 21:27:07 UTC
Permalink
(Please leave Ludwig in cc. He's not subscribed to the list)
Post by Julian Sikorski
Would it make sense to add acls to these files then?
The ACLs were used to reach the very same result: Let a user space
application without root permissions access the user's BIR file. Thus,
as long as I'm not missing something, it does not make sense to add ACLs
to the BIR files in the user's home directory.

Thanks,

Timo
Julian Sikorski
2007-11-15 21:36:42 UTC
Permalink
Post by Timo Hoenig
(Please leave Ludwig in cc. He's not subscribed to the list)
Post by Julian Sikorski
Would it make sense to add acls to these files then?
The ACLs were used to reach the very same result: Let a user space
application without root permissions access the user's BIR file. Thus,
as long as I'm not missing something, it does not make sense to add ACLs
to the BIR files in the user's home directory.
Thanks,
Timo
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
I meant the fallback ones in /etc

Daniel Drake
2007-11-15 21:20:37 UTC
Permalink
Post by Timo Hoenig
I talked to Ludwig about the patch earlier today, and he did not have
any concerns. It might raise issues when using pam_thinkfinger combined
with NFS homes, but for that, we still have the fallback to use
$sysconfdir/pam_thinkfinger/$USER.bir .
Why might that cause issues?

I have confirmed that you can enroll on one device, get a bir, upload
that to another, and successfully verify. So storing in a homedir in the
NFS case is somewhat of a feature :)

Daniel
Timo Hoenig
2007-11-15 21:32:14 UTC
Permalink
Hi!
Post by Daniel Drake
Post by Timo Hoenig
I talked to Ludwig about the patch earlier today, and he did not have
any concerns. It might raise issues when using pam_thinkfinger combined
with NFS homes, but for that, we still have the fallback to use
$sysconfdir/pam_thinkfinger/$USER.bir .
Why might that cause issues?
I have confirmed that you can enroll on one device, get a bir, upload
that to another, and successfully verify. So storing in a homedir in the
NFS case is somewhat of a feature :)
If the NFS directory is mounted without the 'no root squash' option PAM
(running with root privileges) may not be able to access the BIR.

Timo
Loading...