Discussion:
[Thinkfinger-devel] thinkfinger patchset: small fixes, store fingerprints in home directory
Christian Neumair
2007-08-12 09:36:07 UTC
Permalink
Dear thinkfinger-devel mailing list,

I've sent a similar message to the author of thinkfinger, Timo Hoenig,
in April, but he didn't have time for a review. I'm now sending it to
the mailing list so that it doesn't get lost:

The attached patches convey some small improvement and fixes, and also
allow people to store the fingerprints in their home directories instead
of using a global directory.


* tf-01-debug.diff: more verbosity for USB (de)initialization and for
errors while opening BIR files

* tf-02-unlink.diff: remove BIR file when acquisition fails. One could
also write to targetfile.bir.new before, and overwrite the old file
after acquisition using unlink/rename upon success.

* tf-03-strdup.diff: libthinkfinger should maintain an own copy of the
passed-in file name. I've developed a GUI application on top of
libthinkfinger, and it uses dynamic allocation for the file name. One
could also implement length asserts.

* tf-04-tf-tool.diff: Removed PAM ifdef, write to ~/.thinkfinger.bir by
default, but optionally to a custom path.

* tf-05-pam.diff: Make PAM look at ~/.thinkfinger.bir by default, fall
back to /etc/thinkfinger/username.bir for compatibility.

Other things:

I had some propblems with a GUI client that uses two threads, a
libthinkfinger worker thread, and a conventional GTK+ main thread with a
main loop.

When sending a SIGINT, the libthinkfinger thread is terminated
correctly, and libthinkfinger_free() is called,
but at the next libthinkfinger_new() call the status is suddently
TF_STATE_SIGINT. Possibly _libthinkfinger_usb_deinit
should set "termination_request = 0x00" to, or it should be reset in the
beginning of _init or _new routines.

It would also be nice if libthinkfinger could listen to SIGUSR1, since I
need SIGINT for the debugger.

I'm also attaching a udev rule, which I use to allow normal users in the
group "fingerprint" to access the reader. This allows normal users to
use tf-tool (and my GUI application), which is a prerequisite for
user-friendly fingerprint usage.

If anybody of you is interested in the code for the libthinkfinger GUI,
I can publish it as well.
--
Christian Neumair <***@gnome-de.org>
Timo Hoenig
2007-11-15 10:25:33 UTC
Permalink
Hi!
Post by Christian Neumair
* tf-01-debug.diff: more verbosity for USB (de)initialization and for
errors while opening BIR files
* tf-02-unlink.diff: remove BIR file when acquisition fails. One could
also write to targetfile.bir.new before, and overwrite the old file
after acquisition using unlink/rename upon success.
* tf-03-strdup.diff: libthinkfinger should maintain an own copy of the
passed-in file name. I've developed a GUI application on top of
libthinkfinger, and it uses dynamic allocation for the file name. One
could also implement length asserts.
* tf-04-tf-tool.diff: Removed PAM ifdef, write to ~/.thinkfinger.bir by
default, but optionally to a custom path.
* tf-05-pam.diff: Make PAM look at ~/.thinkfinger.bir by default, fall
back to /etc/thinkfinger/username.bir for compatibility.
Those patches are in. Can you please post a patch to adjust the
corresponding bits in the documentation? Thanks!

Timo
Christian Neumair
2007-11-18 11:51:50 UTC
Permalink
Dear Timo,
Post by Timo Hoenig
Hi!
Post by Christian Neumair
* tf-01-debug.diff: more verbosity for USB (de)initialization and for
errors while opening BIR files
* tf-02-unlink.diff: remove BIR file when acquisition fails. One could
also write to targetfile.bir.new before, and overwrite the old file
after acquisition using unlink/rename upon success.
* tf-03-strdup.diff: libthinkfinger should maintain an own copy of the
passed-in file name. I've developed a GUI application on top of
libthinkfinger, and it uses dynamic allocation for the file name. One
could also implement length asserts.
* tf-04-tf-tool.diff: Removed PAM ifdef, write to ~/.thinkfinger.bir by
default, but optionally to a custom path.
* tf-05-pam.diff: Make PAM look at ~/.thinkfinger.bir by default, fall
back to /etc/thinkfinger/username.bir for compatibility.
Those patches are in. Can you please post a patch to adjust the
corresponding bits in the documentation? Thanks!
Proposed patch attached.
--
Christian Neumair <***@gnome.org>
Luca Capello
2008-03-05 23:02:49 UTC
Permalink
Hello!
Post by Christian Neumair
Post by Timo Hoenig
Those patches are in. Can you please post a patch to adjust the
corresponding bits in the documentation? Thanks!
Proposed patch attached.
Christian's patch is now in Debian with a small modification: I re-added
the example [2], which was partially removed.

Thx, bye,
Gismo / Luca

--8<---------------cut here---------------start------------->8---
--- thinkfinger.orig/README.in
+++ thinkfinger/README.in
@@ -32,15 +32,17 @@
Simple Test Tool: tf-tool
=========================

-Usage: tf-tool [--acquire | --verify | --add-user <login> ] [--verbose]
+Usage: tf-tool [--acquire | --verify ] [--verbose] [bir_file]

To acquire a fingerprint run 'tf-tool --acquire'. You will be prompted to
swipe your finger. It needs three successful swipes to get a fingerprint.
-This fingerprint is being stored in '/tmp/test.bir'.
+This fingerprint is by default stored in '~/.thinkfinger.bir', but you
+can override this location by passing the desired location as parameter.

-To verify a fingerprint run 'tf-tool --verify'. tf-tool will read a finger-
-print image from '/tmp/test.bir' and compare that with the finger which
-is being swiped.
+To verify a fingerprint run 'tf-tool --verify'. tf-tool will by default
+read a fingerprint image from ~/.thinkfinger.bir and compare that with the
+finger which is being swiped. You can override this location by passing
+the desired location as parameter.

Notes:

@@ -48,8 +50,14 @@
USB device. On most distribution the device node can not be accessed by a
regular user.

-The switch '--add-user' is only available if ThinkFinger was built with PAM
-support.
+It is also possible to create a group who may access the fingerprint reader, and
+add the legitimate users of the fingerprint reader to it. For instance, the following
+udev.d rule can be put to /etc/udev/rules.d/51-fingerprint.rules to restrict access
+to the "fingerprint" group:
+
+ SUBSYSTEM!="usb_device", GOTO="fingerprint_rules_end"
+ SYSFS{idVendor}=="0483", SYSFS{idProduct}=="2016", MODE="0660", GROUP="fingerprint"
+ LABEL="fingerprint_rules_end"

Pluggable Authentication Module: pam_thinkfinger
================================================
@@ -71,12 +79,14 @@

See [1] for a complete example how '/etc/pam.d/common-auth' looks like.

-The module does only trigger for users which have deposited their fingerprint
-in '/etc/pam_thinkfinger/'.
+The module does trigger for users which have deposited their fingerprint
+in ~/.thinkfinger.bir, or in the '/etc/pam_thinkfinger/' directory.

E.g. if the user 'bob' wants to login using his fingerprint, his fingerprint
-needs to be stored at '/etc/pam_thinkfinger/bob.bir'. See [2] for a more
-detailed example.
+needs either to be stored at /home/bob/.thinkfinger.bir, or at
+'/etc/pam_thinkfinger/bob.bir'.
+
+See [2] for a complete example how to store a fingerprint image.

Notes:

@@ -148,7 +158,7 @@

[2] Example how to store a fingerprint image for user 'bob'

-***@host~> tf-tool --add-user bob
+***@host~> /usr/sbin/tf-tool --acquire

( Now user 'bob' has to swipe his finger three times )

@@ -157,6 +167,6 @@

Initializing... done.
Please swipe your finger (successful swipes 3/3, failed swipes: 0)... done.
-Storing data (/etc/pam_thinkfinger/bob)... done.
+Storing data (/home/bob/.thinkfinger.bir)... done.

Now 'bob' can authenticate himself by swiping his finger.
--8<---------------cut here---------------end--------------->8---
Loading...