[fprint] Writing a dbus client

Roosembert Palacios roosembert.palacios at posteo.ch
Mon Apr 4 08:20:41 UTC 2022 

Hello o/

I'm trying to write an ssh-askpass replacement that requires fingerprint
authentication. I looked at the sources of fprint-verify to learn about
the protocol with dbus, but when I call GetDefaultDevice on the manager
I get a permission error:

‣ Type=method_call  Endian=l  Flags=0  Version=1 Cookie=4  Timestamp="Mon 2022-04-04 08:04:17.416085 UTC"
  Sender=:1.5384  Destination=:1.5384  Path=/net/reactivated/Fprint/Manager  Interface=net.reactivated.Fprint.Manager  Member=GetDefaultDevice
  UniqueName=:1.5384
  MESSAGE "" {
  };

‣ Type=error  Endian=l  Flags=1  Version=1 Cookie=5  ReplyCookie=4  Timestamp="Mon 2022-04-04 08:04:17.416148 UTC"
  Sender=org.freedesktop.DBus  Destination=:1.5384
  ErrorName=org.freedesktop.DBus.Error.AccessDenied  ErrorMessage="Rejected send message, 1 matched rules; type="method_call", sender=":1.5384" (uid=1000 pid=1266175 comm="target/debug/fprint-test " label="kernel") interface="net.reactivated.Fprint.Manager" member="GetDefaultDevice" error name="(unset)" requested_reply="0" destination=":1.5384" (uid=1000 pid=1266175 comm="target/debug/fprint-test " label="kernel")"
  MESSAGE "s" {
          STRING "Rejected send message, 1 matched rules; type="method_call", sender=":1.5384" (uid=1000 pid=1266175 comm="target/debug/fprint-test " label="kernel") interface="net.reactivated.Fprint.Manager" member="GetDefaultDevice" error name="(unset)" requested_reply="0" destination=":1.5384" (uid=1000 pid=1266175 comm="target/debug/fprint-test " label="kernel")";
  };

Looked at the discussion when fprint-verify runs (since it works as
expected) and saw that it first tried to request the name (after
manually activating the service. When I reproduce this myself, I get
again a permission error.

‣ Type=method_call  Endian=l  Flags=0  Version=1 Cookie=3  Timestamp="Sun 2022-04-03 23:50:14.614935 UTC"
  Sender=:1.5238  Destination=org.freedesktop.DBus  Path=/org/freedesktp/DBus  Interface=org.freedesktop.DBus  Member=RequestName
  UniqueName=:1.5238
  MESSAGE "su" {
          STRING "net.reactivated.Fprint";
          UINT32 0;
  };

‣ Type=error  Endian=l  Flags=1  Version=1 Cookie=4  ReplyCookie=3  Timestamp="Sun 2022-04-03 23:50:14.614999 UTC"
  Sender=org.freedesktop.DBus  Destination=:1.5238
  ErrorName=org.freedesktop.DBus.Error.AccessDenied  ErrorMessage="Connection ":1.5238" is not allowed to own the service "net.reactivated.Fprint" due to security policies in the configuration file"
  MESSAGE "s" {
          STRING "Connection ":1.5238" is not allowed to own the service "net.reactivated.Fprint" due to security policies in the configuration file";
  };

I'm a complete noob with dbus, so I don't know what configuration file
policy is denying access. By looking at the configuration under
share/dbus-1/system.d/net.reactivated.Fprint.conf it should allow me to
talk to the bus:

  <!-- Anyone can talk to the service -->
  <policy context="default">
    <allow send_destination="net.reactivated.Fprint"
           send_interface="net.reactivated.Fprint.Manager"/>
    <allow send_destination="net.reactivated.Fprint"
           send_interface="net.reactivated.Fprint.Device"/>

Could you give me any hints on what I may be missing?
The source is available here:
https://gitlab.com/roosemberth/ssh-fprintd-askpass/-/blob/master/src/fprint.rs

I'm running NixOS 22.05 (Quokka) x86_64 on Sway, in case that's relevant.
pkgs.fprintd is installed in the system environment packages.

Thanks, cheers!

Roosembert Palacios
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: signature
URL: <https://lists.freedesktop.org/archives/fprint/attachments/20220404/0a93ca5c/attachment.sig>

More information about the fprint mailing list