Discussion:
[Thinkfinger-devel] [PATCH] Allow non-root users
William Jon McCann
2007-03-17 20:57:43 UTC
Permalink
Hi,

This patch (which includes the acl patch too) should be a complete
solution to using thinkfinger with applications that don't run as root
(eg. screensavers).
* Adds the ACL to the .bir file
* Adds a udev rule to make a symlink in /dev/input
* Adds a console helper permissions rule for allowing console users
to write to thinkfinger device and uinput device
* Fixes a bug where if the usb write failed the CR was not sent to
the uinput device and the PAM module hangs waiting for input.

What do you think?

Thanks,
Jon
Stephan Berberig
2007-03-18 11:50:54 UTC
Permalink
Hi Jon,

I think, your patch is too FC6 specific.

On Ubuntu, I don't have pam_console for the permission settings and also
libacl (version 2.2.39-1ubuntu2) gives me an error:


Setting ACL aquired file: /etc/pam_thinkfinger/stephan.bir.
Unable to set ACL of aquired file: /etc/pam_thinkfinger/stephan.bir:
Operation not supported


I also changed the permissions for the USB and uinput device manually,
but gnome-screensaver (or better the dialog) still hangs somewhere.

Thanks for helping.

Best regards,
Stephan
Post by William Jon McCann
Hi,
This patch (which includes the acl patch too) should be a complete
solution to using thinkfinger with applications that don't run as root
(eg. screensavers).
* Adds the ACL to the .bir file
* Adds a udev rule to make a symlink in /dev/input
* Adds a console helper permissions rule for allowing console users
to write to thinkfinger device and uinput device
* Fixes a bug where if the usb write failed the CR was not sent to
the uinput device and the PAM module hangs waiting for input.
What do you think?
Thanks,
Jon
------------------------------------------------------------------------
Index: tf-tool/tf-tool.c
===================================================================
--- tf-tool/tf-tool.c (revision 96)
+++ tf-tool/tf-tool.c (working copy)
@@ -1,4 +1,5 @@
- /* tf-test - A simple example for libthinkfinger
+ /* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*-
+ * tf-test - A simple example for libthinkfinger
*
* ThinkFinger - A driver for the UPEK/SGS Thomson Microelectronics
* fingerprint reader.
@@ -22,12 +23,18 @@
*
*/
+#include <config.h>
+
#include <sys/types.h>
+#include <sys/stat.h>
#include <errno.h>
#include <libgen.h>
#include <pwd.h>
-#include <config.h>
+#ifdef HAVE_SYS_ACL_H
+#include <acl/libacl.h>
+#endif
+
#include <libthinkfinger.h>
#define MODE_UNDEFINED 0
return retval;
}
+static int
+set_permissions_for_user (const char *path,
+ const char *username)
+{
+#ifdef HAVE_SYS_ACL_H
+ int res;
+ struct passwd *p;
+ acl_t acl;
+ acl_entry_t entry;
+ acl_permset_t permset;
+ uid_t uid;
+
+ /* this is so that a user is able to read his/her own file
+ * when reauthenticating via the screensaver etc. */
+ p = getpwnam (username);
+ uid = p->pw_uid;
+
+ fprintf (stderr, "Setting ACL aquired file: %s.\n",
+ path);
+
+ res = -1;
+
+ acl = acl_init (4);
+
+ /* User Obj */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_add_perm (permset, ACL_READ) == -1) {
+ goto out;
+ }
+ if (acl_add_perm (permset, ACL_WRITE) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_USER_OBJ) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ /* Group Obj */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_GROUP_OBJ) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ /* Others */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_OTHER) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ /* Mask */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_add_perm (permset, ACL_READ) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_MASK) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ /* User */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_USER) == -1) {
+ goto out;
+ }
+ if (acl_set_qualifier (entry, &uid) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_add_perm (permset, ACL_READ) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ res = acl_set_file (path, ACL_TYPE_ACCESS, acl);
+
+ acl_free (acl);
+ if (res != 0) {
+ fprintf (stderr, "Unable to set ACL of aquired file: %s: %s\n",
+ path,
+ strerror (errno));
+ }
+
+#endif
+ return res;
+}
+
int
main (int argc, char *argv[])
{
@@ -313,6 +458,8 @@ main (int argc, char *argv[])
const char *user;
#endif
+ user = NULL;
+
printf ("%s\n", BANNER);
if (argc == 1) {
@@ -456,13 +603,18 @@ main (int argc, char *argv[])
}
if (tfdata.mode == MODE_ACQUIRE) {
+ umask (0077);
retval = acquire (&tfdata);
+ if (retval == 0 && user != NULL) {
+ set_permissions_for_user (tfdata.bir, user);
+ }
} else if (tfdata.mode == MODE_VERIFY) {
retval = verify (&tfdata);
} else {
usage (argv[0]);
retval = -1;
}
+
exit (retval);
}
Index: tf-tool/Makefile.am
===================================================================
--- tf-tool/Makefile.am (revision 96)
+++ tf-tool/Makefile.am (working copy)
@@ -3,5 +3,5 @@ sbin_PROGRAMS = tf-tool
INCLUDES = -I$(top_srcdir)/libthinkfinger
tf_tool_SOURCES = tf-tool.c
-tf_tool_LDADD = $(top_builddir)/libthinkfinger/libthinkfinger.la
+tf_tool_LDADD = $(ACL_LIBS) $(top_builddir)/libthinkfinger/libthinkfinger.la
tf_tool_CFLAGS = $(CFLAGS)
Index: configure.in
===================================================================
--- configure.in (revision 96)
+++ configure.in (working copy)
@@ -71,6 +71,11 @@ AC_ARG_ENABLE(securedir, AC_HELP_STRING(
# AC_ARG_ENABLE_BIR_DIR
+# Check for libacl
+AC_CHECK_HEADERS(sys/acl.h)
+AC_CHECK_LIB(acl, acl_set_file, [ACL_LIBS="-lacl"], AC_MSG_ERROR([libacl missing]))
+AC_SUBST(ACL_LIBS)
+
# Check for libusb using pkg-config
PKG_CHECK_MODULES(USB, libusb >= 0.1.11, usb_found=yes, AC_MSG_ERROR([libusb missing]))
@@ -170,6 +175,7 @@ AM_CONDITIONAL(HAVE_OLD_PAM, test "x$HAV
AC_CONFIG_FILES([Makefile
README
INSTALL
+ data/Makefile
docs/Makefile
docs/autodocs/Makefile
libthinkfinger/Makefile
Index: Makefile.am
===================================================================
--- Makefile.am (revision 96)
+++ Makefile.am (working copy)
@@ -1,5 +1,5 @@
-if BUILD_PAM
+if BUILD_PAM
PAM_SUBDIR=pam
endif
-SUBDIRS = docs libthinkfinger tf-tool $(PAM_SUBDIR)
+SUBDIRS = data docs libthinkfinger tf-tool $(PAM_SUBDIR)
Index: data/60-thinkfinger.perms
===================================================================
--- data/60-thinkfinger.perms (revision 0)
+++ data/60-thinkfinger.perms (revision 0)
@@ -0,0 +1,4 @@
+<thinkfinger>=/dev/input/thinkfinger-*
+<uinput>=/dev/uinput /dev/misc/uinput /dev/input/uinput
+<console> 0600 <thinkfinger> 0600 root
+<console> 0600 <uinput> 0600 root
Index: data/60-thinkfinger.rules
===================================================================
--- data/60-thinkfinger.rules (revision 0)
+++ data/60-thinkfinger.rules (revision 0)
@@ -0,0 +1,11 @@
+#
+# udev rules file for the thinkfinger fingerprint scanner
+#
+
+ACTION!="add", GOTO="thinkfinger_rules_end"
+SUBSYSTEM!="usb_device", GOTO="thinkfinger_rules_end"
+
+# SGS Thomson Microelectronics Fingerprint Reader
+SYSFS{idVendor}=="0483", SYSFS{idProduct}=="2016", SYMLINK+="input/thinkfinger-%k"
+
+LABEL="thinkfinger_rules_end"
Index: data/Makefile.am
===================================================================
--- data/Makefile.am (revision 0)
+++ data/Makefile.am (revision 0)
@@ -0,0 +1,9 @@
+## Process this file with automake to produce Makefile.in
+
+udevrulesdir = $(sysconfdir)/udev/rules.d
+udevrules_DATA = 60-thinkfinger.rules
+
+consolepermsdir = $(sysconfdir)/security/console.perms.d
+consoleperms_DATA = 60-thinkfinger.perms
+
+EXTRA_DIST = 60-thinkfinger.rules 60-thinkfinger.perms
Index: autogen.sh
===================================================================
--- autogen.sh (revision 96)
+++ autogen.sh (working copy)
@@ -7,3 +7,5 @@ autoheader
aclocal
automake --add-missing
autoconf
+
Index: pam/pam_thinkfinger.c
===================================================================
--- pam/pam_thinkfinger.c (revision 96)
+++ pam/pam_thinkfinger.c (working copy)
@@ -146,14 +146,13 @@ static void thinkfinger_thread (void *da
pam_thinkfinger->swipe_retval = PAM_AUTH_ERR;
pam_thinkfinger_log (pam_thinkfinger, LOG_NOTICE,
"User '%s' verification failed (0x%x).", pam_thinkfinger->user, tf_state);
- goto out;
}
ret = uinput_cr (&pam_thinkfinger->uinput_fd);
if (ret != 0)
pam_thinkfinger_log (pam_thinkfinger, LOG_ERR,
"Could not send carriage return via uinput: %s.", strerror (ret));
+
pam_thinkfinger_log (pam_thinkfinger, LOG_NOTICE,
"%s returning '%d': %s.", __FUNCTION__, pam_thinkfinger->swipe_retval,
pam_thinkfinger->swipe_retval ? pam_strerror (pam_thinkfinger->pamh, pam_thinkfinger->swipe_retval) : "success");
------------------------------------------------------------------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
------------------------------------------------------------------------
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
William Jon McCann
2007-03-18 15:18:50 UTC
Permalink
Hello,
Post by Stephan Berberig
Hi Jon,
I think, your patch is too FC6 specific.
On Ubuntu, I don't have pam_console for the permission settings and also
Setting ACL aquired file: /etc/pam_thinkfinger/stephan.bir.
Operation not supported
I don't think the patch is particularly Fedora specific. Here is
another patch that makes the console.perms installation optional at
configure time (off by default). It also fixes another problem where
the PAM module doesn't identify early enough that there is no device
installed.

I'm not sure why the ACL stuff isn't working on Ubuntu. Can you try
using the setfacl command to see if that works? Also, the message you
are getting is only a warning not a fatal error - the file was still
written and complete.

Thanks,
Jon
Stephan Berberig
2007-03-18 15:56:13 UTC
Permalink
Hello,

could you give me an example how to test with setfacl? I tried "sudo
setfacl -m u:stephan:r /etc/pam_thinkfinger/stephan.bir". Still that
"Operation not supported".

And I think, we don't look at the real issue:
1) gnome-screensaver dialog doesn't show "Password or swipe finger:" prompt.
2) it hangs somewhere. I can't type in a password.


BTW, why do I need the udev rule when I don't use pam_console? I think,
this should also be dependant on "--enable-console-perms".

Thanks,
Stephan
Post by William Jon McCann
Hello,
Post by Stephan Berberig
Hi Jon,
I think, your patch is too FC6 specific.
On Ubuntu, I don't have pam_console for the permission settings and also
Setting ACL aquired file: /etc/pam_thinkfinger/stephan.bir.
Operation not supported
I don't think the patch is particularly Fedora specific. Here is
another patch that makes the console.perms installation optional at
configure time (off by default). It also fixes another problem where
the PAM module doesn't identify early enough that there is no device
installed.
I'm not sure why the ACL stuff isn't working on Ubuntu. Can you try
using the setfacl command to see if that works? Also, the message you
are getting is only a warning not a fatal error - the file was still
written and complete.
Thanks,
Jon
------------------------------------------------------------------------
Index: tf-tool/tf-tool.c
===================================================================
--- tf-tool/tf-tool.c (revision 96)
+++ tf-tool/tf-tool.c (working copy)
@@ -1,4 +1,5 @@
- /* tf-test - A simple example for libthinkfinger
+ /* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*-
+ * tf-test - A simple example for libthinkfinger
*
* ThinkFinger - A driver for the UPEK/SGS Thomson Microelectronics
* fingerprint reader.
@@ -22,12 +23,18 @@
*
*/
+#include <config.h>
+
#include <sys/types.h>
+#include <sys/stat.h>
#include <errno.h>
#include <libgen.h>
#include <pwd.h>
-#include <config.h>
+#ifdef HAVE_SYS_ACL_H
+#include <acl/libacl.h>
+#endif
+
#include <libthinkfinger.h>
#define MODE_UNDEFINED 0
return retval;
}
+static int
+set_permissions_for_user (const char *path,
+ const char *username)
+{
+#ifdef HAVE_SYS_ACL_H
+ int res;
+ struct passwd *p;
+ acl_t acl;
+ acl_entry_t entry;
+ acl_permset_t permset;
+ uid_t uid;
+
+ /* this is so that a user is able to read his/her own file
+ * when reauthenticating via the screensaver etc. */
+ p = getpwnam (username);
+ uid = p->pw_uid;
+
+ fprintf (stderr, "Setting ACL on aquired file: %s.\n",
+ path);
+
+ res = -1;
+
+ acl = acl_init (4);
+
+ /* User Obj */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_add_perm (permset, ACL_READ) == -1) {
+ goto out;
+ }
+ if (acl_add_perm (permset, ACL_WRITE) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_USER_OBJ) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ /* Group Obj */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_GROUP_OBJ) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ /* Others */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_OTHER) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ /* Mask */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_add_perm (permset, ACL_READ) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_MASK) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ /* User */
+ if (acl_create_entry (&acl, &entry) == -1) {
+ goto out;
+ }
+ if (acl_set_tag_type (entry, ACL_USER) == -1) {
+ goto out;
+ }
+ if (acl_set_qualifier (entry, &uid) == -1) {
+ goto out;
+ }
+ if (acl_get_permset (entry, &permset) == -1) {
+ goto out;
+ }
+ if (acl_clear_perms (permset) == -1) {
+ goto out;
+ }
+ if (acl_add_perm (permset, ACL_READ) == -1) {
+ goto out;
+ }
+ if (acl_set_permset (entry, permset) == -1) {
+ goto out;
+ }
+
+ res = acl_set_file (path, ACL_TYPE_ACCESS, acl);
+
+ acl_free (acl);
+ if (res != 0) {
+ fprintf (stderr, "Unable to set ACL of aquired file: %s: %s\n",
+ path,
+ strerror (errno));
+ }
+
+#endif
+ return res;
+}
+
int
main (int argc, char *argv[])
{
@@ -313,6 +458,8 @@ main (int argc, char *argv[])
const char *user;
#endif
+ user = NULL;
+
printf ("%s\n", BANNER);
if (argc == 1) {
@@ -456,13 +603,18 @@ main (int argc, char *argv[])
}
if (tfdata.mode == MODE_ACQUIRE) {
+ umask (0077);
retval = acquire (&tfdata);
+ if (retval == 0 && user != NULL) {
+ set_permissions_for_user (tfdata.bir, user);
+ }
} else if (tfdata.mode == MODE_VERIFY) {
retval = verify (&tfdata);
} else {
usage (argv[0]);
retval = -1;
}
+
exit (retval);
}
Index: tf-tool/Makefile.am
===================================================================
--- tf-tool/Makefile.am (revision 96)
+++ tf-tool/Makefile.am (working copy)
@@ -3,5 +3,5 @@ sbin_PROGRAMS = tf-tool
INCLUDES = -I$(top_srcdir)/libthinkfinger
tf_tool_SOURCES = tf-tool.c
-tf_tool_LDADD = $(top_builddir)/libthinkfinger/libthinkfinger.la
+tf_tool_LDADD = $(ACL_LIBS) $(top_builddir)/libthinkfinger/libthinkfinger.la
tf_tool_CFLAGS = $(CFLAGS)
Index: configure.in
===================================================================
--- configure.in (revision 96)
+++ configure.in (working copy)
@@ -71,6 +71,20 @@ AC_ARG_ENABLE(securedir, AC_HELP_STRING(
# AC_ARG_ENABLE_BIR_DIR
+# Check for libacl
+AC_CHECK_HEADERS(sys/acl.h)
+AC_CHECK_LIB(acl, acl_set_file, [ACL_LIBS="-lacl"], AC_MSG_ERROR([libacl missing]))
+AC_SUBST(ACL_LIBS)
+
+AC_ARG_ENABLE(console-perms,
+ [ --enable-console-perms=[auto/no/yes] Enable console perms [default=auto]],,
+ enable_console_perms=auto)
+if test "x$enable_console_perms" = "xyes"; then
+ AM_CONDITIONAL(USE_CONSOLE_PERMS, true)
+else
+ AM_CONDITIONAL(USE_CONSOLE_PERMS, false)
+fi
+
# Check for libusb using pkg-config
PKG_CHECK_MODULES(USB, libusb >= 0.1.11, usb_found=yes, AC_MSG_ERROR([libusb missing]))
@@ -170,6 +184,7 @@ AM_CONDITIONAL(HAVE_OLD_PAM, test "x$HAV
AC_CONFIG_FILES([Makefile
README
INSTALL
+ data/Makefile
docs/Makefile
docs/autodocs/Makefile
libthinkfinger/Makefile
Index: libthinkfinger/libthinkfinger.c
===================================================================
--- libthinkfinger/libthinkfinger.c (revision 96)
+++ libthinkfinger/libthinkfinger.c (working copy)
@@ -1,4 +1,5 @@
-/*
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*-
+ *
* ThinkFinger - A driver for the UPEK/SGS Thomson Microelectronics
* fingerprint reader.
*
@@ -40,6 +41,14 @@
#include "libthinkfinger.h"
#include "libthinkfinger-crc.h"
+#ifndef FALSE
+#define FALSE (0)
+#endif
+
+#ifndef TRUE
+#define TRUE (!FALSE)
+#endif
+
#define VENDOR_ID 0x0483
#define PRODUCT_ID 0x2016
#define USB_TIMEOUT 250
@@ -221,6 +230,20 @@ static void _libthinkfinger_usb_deinit (
tf->usb_dev_handle = NULL;
}
+int libthinkfinger_has_device (libthinkfinger *tf)
+{
+ struct usb_device *usb_dev;
+ int retval;
+
+ retval = FALSE;
+ usb_dev = _libthinkfinger_usb_device_find ();
+ if (usb_dev != NULL) {
+ retval = TRUE;
+ }
+
+ return retval;
+}
+
static libthinkfinger_init_status _libthinkfinger_usb_init (libthinkfinger *tf)
{
libthinkfinger_init_status retval = TF_INIT_UNDEFINED;
Index: libthinkfinger/libthinkfinger.h
===================================================================
--- libthinkfinger/libthinkfinger.h (revision 96)
+++ libthinkfinger/libthinkfinger.h (working copy)
@@ -156,6 +156,16 @@ libthinkfinger_result libthinkfinger_ver
*/
libthinkfinger *libthinkfinger_new(libthinkfinger_init_status* init_status);
+ *
+ * check to see if a scanner device is present
+ *
+ *
+ */
+int libthinkfinger_has_device(libthinkfinger *tf);
+
*
Index: data/60-thinkfinger.perms
===================================================================
--- data/60-thinkfinger.perms (revision 0)
+++ data/60-thinkfinger.perms (revision 0)
@@ -0,0 +1,4 @@
+<thinkfinger>=/dev/input/thinkfinger-*
+<uinput>=/dev/uinput /dev/misc/uinput /dev/input/uinput
+<console> 0600 <thinkfinger> 0600 root
+<console> 0600 <uinput> 0600 root
Index: data/60-thinkfinger.rules
===================================================================
--- data/60-thinkfinger.rules (revision 0)
+++ data/60-thinkfinger.rules (revision 0)
@@ -0,0 +1,11 @@
+#
+# udev rules file for the thinkfinger fingerprint scanner
+#
+
+ACTION!="add", GOTO="thinkfinger_rules_end"
+SUBSYSTEM!="usb_device", GOTO="thinkfinger_rules_end"
+
+# SGS Thomson Microelectronics Fingerprint Reader
+SYSFS{idVendor}=="0483", SYSFS{idProduct}=="2016", SYMLINK+="input/thinkfinger-%k"
+
+LABEL="thinkfinger_rules_end"
Index: data/Makefile.am
===================================================================
--- data/Makefile.am (revision 0)
+++ data/Makefile.am (revision 0)
@@ -0,0 +1,11 @@
+## Process this file with automake to produce Makefile.in
+
+udevrulesdir = $(sysconfdir)/udev/rules.d
+udevrules_DATA = 60-thinkfinger.rules
+
+if USE_CONSOLE_PERMS
+consolepermsdir = $(sysconfdir)/security/console.perms.d
+consoleperms_DATA = 60-thinkfinger.perms
+endif
+
+EXTRA_DIST = 60-thinkfinger.rules 60-thinkfinger.perms
Index: Makefile.am
===================================================================
--- Makefile.am (revision 96)
+++ Makefile.am (working copy)
@@ -1,5 +1,5 @@
-if BUILD_PAM
+if BUILD_PAM
PAM_SUBDIR=pam
endif
-SUBDIRS = docs libthinkfinger tf-tool $(PAM_SUBDIR)
+SUBDIRS = data docs libthinkfinger tf-tool $(PAM_SUBDIR)
Index: autogen.sh
===================================================================
--- autogen.sh (revision 96)
+++ autogen.sh (working copy)
@@ -7,3 +7,5 @@ autoheader
aclocal
automake --add-missing
autoconf
+
Index: pam/pam_thinkfinger.c
===================================================================
--- pam/pam_thinkfinger.c (revision 96)
+++ pam/pam_thinkfinger.c (working copy)
@@ -1,4 +1,6 @@
-/* ThinkFinger Pluggable Authentication Module
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*-
+ *
+ * ThinkFinger Pluggable Authentication Module
*
* PAM module for libthinkfinger which is a driver for the UPEK/SGS Thomson
* Microelectronics fingerprint reader.
@@ -146,14 +148,13 @@ static void thinkfinger_thread (void *da
pam_thinkfinger->swipe_retval = PAM_AUTH_ERR;
pam_thinkfinger_log (pam_thinkfinger, LOG_NOTICE,
"User '%s' verification failed (0x%x).", pam_thinkfinger->user, tf_state);
- goto out;
}
ret = uinput_cr (&pam_thinkfinger->uinput_fd);
if (ret != 0)
pam_thinkfinger_log (pam_thinkfinger, LOG_ERR,
"Could not send carriage return via uinput: %s.", strerror (ret));
+
pam_thinkfinger_log (pam_thinkfinger, LOG_NOTICE,
"%s returning '%d': %s.", __FUNCTION__, pam_thinkfinger->swipe_retval,
pam_thinkfinger->swipe_retval ? pam_strerror (pam_thinkfinger->pamh, pam_thinkfinger->swipe_retval) : "success");
@@ -241,6 +242,15 @@ int pam_sm_authenticate (pam_handle_t *p
goto out;
}
+ ret = libthinkfinger_has_device (pam_thinkfinger.tf);
+ if (! ret) {
+ retval = PAM_AUTHINFO_UNAVAIL;
+
+ if (pam_thinkfinger.tf)
+ libthinkfinger_free (pam_thinkfinger.tf);
+ goto out;
+ }
+
pthread_create (&pam_thinkfinger.t_thinkfinger, NULL, (void *) &thinkfinger_thread, &pam_thinkfinger);
pthread_create (&pam_thinkfinger.t_pam_prompt, NULL, (void *) &pam_prompt_thread, &pam_thinkfinger);
pthread_join (pam_thinkfinger.t_pam_prompt, NULL);
------------------------------------------------------------------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
------------------------------------------------------------------------
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
William Jon McCann
2007-03-18 17:39:53 UTC
Permalink
Hi,
Post by William Jon McCann
Hello,
could you give me an example how to test with setfacl? I tried "sudo
setfacl -m u:stephan:r /etc/pam_thinkfinger/stephan.bir". Still that
"Operation not supported".
That probably means that you haven't mounted your filesystem with ACL
support. If you remount it with support enabled does it work?
Post by William Jon McCann
1) gnome-screensaver dialog doesn't show "Password or swipe finger:" prompt.
2) it hangs somewhere. I can't type in a password.
It works perfectly here with my patches applied to pam-thinkfinger.
What version of gnome-screensaver are you using? What is the debug
output from pam-thinkfinger?
Post by William Jon McCann
BTW, why do I need the udev rule when I don't use pam_console? I think,
this should also be dependant on "--enable-console-perms".
Well, I think that it makes it easier for pam thinkfinger to
eventually support mutliple devices and instead of scanning all the
usb devices again each time, etc.

Jon
Stephan Berberig
2007-03-18 18:41:24 UTC
Permalink
Post by William Jon McCann
Hi,
Post by William Jon McCann
Hello,
could you give me an example how to test with setfacl? I tried "sudo
setfacl -m u:stephan:r /etc/pam_thinkfinger/stephan.bir". Still that
"Operation not supported".
That probably means that you haven't mounted your filesystem with ACL
support. If you remount it with support enabled does it work?
ok, didn't know that I need to mount my ext3 partition with ACL support.
Will test it the next days.
Post by William Jon McCann
Post by William Jon McCann
1) gnome-screensaver dialog doesn't show "Password or swipe finger:" prompt.
2) it hangs somewhere. I can't type in a password.
It works perfectly here with my patches applied to pam-thinkfinger.
What version of gnome-screensaver are you using? What is the debug
output from pam-thinkfinger?
I use 2.16.1-0ubuntu1 (Please don't ask me to test 2.18, if any specific
patches/improvements are needed, I would just add a backported patch).

The pam-thinkfinger debug output is:


Mar 18 19:27:46 notebook gnome-screensaver[32469]:
pam_thinkfinger(gnome-screensaver): pam_sm_authenticate called.
Mar 18 19:27:46 notebook gnome-screensaver[32469]:
pam_thinkfinger(gnome-screensaver): thinkfinger_thread called.
Mar 18 19:27:50 notebook gnome-screensaver[32469]:
pam_thinkfinger(gnome-screensaver): User 'stephan' authenticated
(biometric identification record matched).
Mar 18 19:27:50 notebook gnome-screensaver[32469]:
pam_thinkfinger(gnome-screensaver): thinkfinger_thread returning '0':
success.


Regards,
Stephan
Stephan Berberig
2007-03-20 14:01:03 UTC
Permalink
Hi Jon,

I tested gnome-screensaver 2.18.0 with a Ubuntu Feisty LiveCD. It worked
fine with thinkfinger.


Could you please help me fixing 2.16.1? I also tried 2.16.3, no changes.

Best regards,
Stephan
Post by Stephan Berberig
Post by William Jon McCann
Hi,
Post by William Jon McCann
Hello,
could you give me an example how to test with setfacl? I tried "sudo
setfacl -m u:stephan:r /etc/pam_thinkfinger/stephan.bir". Still that
"Operation not supported".
That probably means that you haven't mounted your filesystem with ACL
support. If you remount it with support enabled does it work?
ok, didn't know that I need to mount my ext3 partition with ACL support.
Will test it the next days.
Post by William Jon McCann
Post by William Jon McCann
1) gnome-screensaver dialog doesn't show "Password or swipe finger:" prompt.
2) it hangs somewhere. I can't type in a password.
It works perfectly here with my patches applied to pam-thinkfinger.
What version of gnome-screensaver are you using? What is the debug
output from pam-thinkfinger?
I use 2.16.1-0ubuntu1 (Please don't ask me to test 2.18, if any specific
patches/improvements are needed, I would just add a backported patch).
pam_thinkfinger(gnome-screensaver): pam_sm_authenticate called.
pam_thinkfinger(gnome-screensaver): thinkfinger_thread called.
pam_thinkfinger(gnome-screensaver): User 'stephan' authenticated
(biometric identification record matched).
success.
Regards,
Stephan
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Loading...