[fprint] fprintd database protection, enrolling fail, abort fprint scanning

Jonas Jelten jelten at in.tum.de
Wed Nov 16 23:09:16 PST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi!

i have an upek eikon 2 (147e:2016)  in my thinkpad x220t.

i'm using fprint for 3 weeks now, i must say it is an excellent feature
to prevent others seeing your password, especially in lectures where 8
people are sitting right arround you.

everywhere on the internet is described to use the pam_fprint.so  pam.d
module, but pam_fprint_enroll always fails with error -22 on the last
stage. this means 5 times everything works as it should, but suddenly
the LED on the scanner no more activates, and the program exits with
error -22.

so somewhere in the gentoo wiki i found another pam.d module, pam_fprintd.so

i inserted this in the sudo pam file, and everything worked just
perfectly. i enrolled my finger with fprintd-enroll, it created a
fingerprint for my user, but not the way it should. later i noticed a
bunch of security issues.

i think it is possible to enroll a finger with no root privileges and
overwrite existing fingerprints for this user just by executing
fprintd-enroll.
this means everyone using the notebook can just overwrite the
fingerprint and have root access.
 where is the database file and why isn't it protected? can it be
protected just with filesystem access limitations? why isn't the current
fingerprint checked first or why no password check?

next thing is, when you ssh into your laptop with having fprint
activated for sudo, it will require you to swipe your finger, although
your laptop might be somewhere arround the globe. i don't think theres a
way to fix this, but you should be able to skip the scanning process and
continue entering a password.
I actually don't understand why it is not possible to cancel auth with
ctrl-c or whatever yet. when the system has a defined auth order in the
pam setting, you should be able to skip the fingerprinting, like it is
possible with a password.

- -- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOxLMVAAoJEAO2SC2D9UetekgQAIeF+9JjElQenbT5W33G6gIu
QmbEgFbNU9Dp8ZjsqPBJyp3W88iGxyKfEnTyOZwP8ueihe1fdzZW3CDYOIiZi40z
GuaLL0fQ84OSKqan9XPjkutTd3ZeOy5FsbbcMeEIxb9eldTIu0GaCQuymuS5oax/
LLMzx9bMOi2Xm2n+AxDDiZhvdsba7VOi6u5z4jd02HTELD6nFw5v9zwCkdPQuWSu
4CetYRzErBaJe/9D4hJRoHy49lwJOHgH1cuFeEzxq3dv/H++AQ8g2IX3IFSekW65
fMyX+ShHDzVdRAYvNvUQmK91OSbQ9Za9NfSfkpdz36npltIdSAVGOeccWls1uIZl
adzH27azIrehRinP6zSbUM1bgqiVHu6mYYpepEAI/Qwfi8i8oRofTEmHaX5KYpYA
U/TaMnZL+jv+WTlyCKmmmYfon4o1Jo6/2lqsperiSQtIRREXynPyayzKojBUso66
CCH8I8thh5cN1JZJ1GBckAyQdsSLDLqS1o2+vKBRU7GtPDW/dS+cJKEqZcq+5vL9
VrmO3I6g1Wp+2xL0EKi+XF8B7HiboQn7RYNl+OjxIe0Vg3VAw3IPkrw/4qhO7PQG
IeJsn0V/I/67icLokoe0T+6rZIji5hmhmc42YmH2CNXhx3B5L2HtHgb0MJdHX++t
8dR3hKBm6J+W6XUskcbQ
=BPU7
-----END PGP SIGNATURE-----



More information about the fprint mailing list