[fprint] fprintd database protection, enrolling fail, abort fprint scanning

Wolfgang Ullrich w.ullrich at n-view.net
Wed Nov 16 23:47:47 PST 2011

Did you try fingerprint-gui?

Besides the libfprint drivers it makes use of a proprietary driver
libbsapi.so for upek devices with better recognition rates.
Also it has a clean and well privileged directory
in /var/lib/fingerprint-gui/, where fingerprint data are stored
protected against other users. The pam_fingerprint-gui.so module
recognizes remote sessions and doesn't request finger swipes for them.


> hi!
> i have an upek eikon 2 (147e:2016)  in my thinkpad x220t.
> i'm using fprint for 3 weeks now, i must say it is an excellent feature
> to prevent others seeing your password, especially in lectures where 8
> people are sitting right arround you.
> everywhere on the internet is described to use the pam_fprint.so  pam.d
> module, but pam_fprint_enroll always fails with error -22 on the last
> stage. this means 5 times everything works as it should, but suddenly
> the LED on the scanner no more activates, and the program exits with
> error -22.
> so somewhere in the gentoo wiki i found another pam.d module, pam_fprintd.so
> i inserted this in the sudo pam file, and everything worked just
> perfectly. i enrolled my finger with fprintd-enroll, it created a
> fingerprint for my user, but not the way it should. later i noticed a
> bunch of security issues.
> i think it is possible to enroll a finger with no root privileges and
> overwrite existing fingerprints for this user just by executing
> fprintd-enroll.
> this means everyone using the notebook can just overwrite the
> fingerprint and have root access.
>  where is the database file and why isn't it protected? can it be
> protected just with filesystem access limitations? why isn't the current
> fingerprint checked first or why no password check?
> next thing is, when you ssh into your laptop with having fprint
> activated for sudo, it will require you to swipe your finger, although
> your laptop might be somewhere arround the globe. i don't think theres a
> way to fix this, but you should be able to skip the scanning process and
> continue entering a password.
> I actually don't understand why it is not possible to cancel auth with
> ctrl-c or whatever yet. when the system has a defined auth order in the
> pam setting, you should be able to skip the fingerprinting, like it is
> possible with a password.
> -- Jonas
> _______________________________________________
> fprint mailing list
> fprint at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/fprint


Wolfgang Ullrich

e-Mail: w.ullrich at n-view.net

More information about the fprint mailing list