Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Stephan Berberig <s.berberig-KvP5wT2u2U0 <at> public.gmane.org>
Subject: Re: [PATCH] Allow non-root users
Newsgroups: gmane.linux.drivers.thinkfinger
Date: Sunday 18th March 2007 11:50:54 UTC (over 9 years ago)
Hi Jon,

I think, your patch is too FC6 specific.

On Ubuntu, I don't have pam_console for the permission settings and also
libacl (version 2.2.39-1ubuntu2) gives me an error:


Setting ACL aquired file: /etc/pam_thinkfinger/stephan.bir.
Unable to set ACL of aquired file: /etc/pam_thinkfinger/stephan.bir:
Operation not supported


I also changed the permissions for the USB and uinput device manually,
but gnome-screensaver (or better the dialog) still hangs somewhere.

Thanks for helping.

Best regards,
Stephan

William Jon McCann schrieb:
> Hi,
> 
> This patch (which includes the acl patch too) should be a complete
> solution to using thinkfinger with applications that don't run as root
> (eg. screensavers).
> * Adds the ACL to the .bir file
> * Adds a udev rule to make a symlink in /dev/input
> * Adds a console helper permissions rule for allowing console users
> to write to thinkfinger device and uinput device
> * Fixes a bug where if the usb write failed the CR was not sent to
> the uinput device and the PAM module hangs waiting for input.
> 
> What do you think?
> 
> Thanks,
> Jon
> 
> 
> ------------------------------------------------------------------------
> 
> Index: tf-tool/tf-tool.c
> ===================================================================
> --- tf-tool/tf-tool.c	(revision 96)
> +++ tf-tool/tf-tool.c	(working copy)
> @@ -1,4 +1,5 @@
> - /*   tf-test - A simple example for libthinkfinger
> + /* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8
-*-
> +  *   tf-test - A simple example for libthinkfinger
>    *
>    *   ThinkFinger - A driver for the UPEK/SGS Thomson Microelectronics
>    *   fingerprint reader.
> @@ -22,12 +23,18 @@
>    *
>    */
>  
> +#include 
> +
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 
>  
> -#include 
> +#ifdef HAVE_SYS_ACL_H
> +#include 
> +#endif
> +
>  #include 
>  
>  #define MODE_UNDEFINED 0
> @@ -302,6 +309,144 @@ out:
>  	return retval;
>  }
>  
> +static int
> +set_permissions_for_user (const char *path,
> +			  const char *username)
> +{
> +#ifdef HAVE_SYS_ACL_H
> +	int res;
> +	struct passwd *p;
> +	acl_t acl;
> +	acl_entry_t entry;
> +	acl_permset_t permset;
> +	uid_t uid;
> +
> +	/* this is so that a user is able to read his/her own file
> +	 * when reauthenticating via the screensaver etc. */
> +	p = getpwnam (username);
> +	uid = p->pw_uid;
> +
> +	fprintf (stderr, "Setting ACL aquired file: %s.\n",
> +		 path);
> +
> +	res = -1;
> +
> +	acl = acl_init (4);
> +
> +	/* User Obj */
> +	if (acl_create_entry (&acl, &entry) == -1) {
> +		goto out;
> +	}
> +	if (acl_get_permset (entry, &permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_clear_perms (permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_add_perm (permset, ACL_READ) == -1) {
> +		goto out;
> +	}
> +	if (acl_add_perm (permset, ACL_WRITE) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_tag_type (entry, ACL_USER_OBJ) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_permset (entry, permset) == -1) {
> +		goto out;
> +	}
> +
> +	/* Group Obj */
> +	if (acl_create_entry (&acl, &entry) == -1) {
> +		goto out;
> +	}
> +	if (acl_get_permset (entry, &permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_clear_perms (permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_tag_type (entry, ACL_GROUP_OBJ) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_permset (entry, permset) == -1) {
> +		goto out;
> +	}
> +
> +	/* Others */
> +	if (acl_create_entry (&acl, &entry) == -1) {
> +		goto out;
> +	}
> +	if (acl_get_permset (entry, &permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_clear_perms (permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_tag_type (entry, ACL_OTHER) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_permset (entry, permset) == -1) {
> +		goto out;
> +	}
> +
> +	/* Mask */
> +	if (acl_create_entry (&acl, &entry) == -1) {
> +		goto out;
> +	}
> +	if (acl_get_permset (entry, &permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_clear_perms (permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_add_perm (permset, ACL_READ) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_tag_type (entry, ACL_MASK) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_permset (entry, permset) == -1) {
> +		goto out;
> +	}
> +
> +	/* User */
> +	if (acl_create_entry (&acl, &entry) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_tag_type (entry, ACL_USER) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_qualifier (entry, &uid) == -1) {
> +		goto out;
> +	}
> +	if (acl_get_permset (entry, &permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_clear_perms (permset) == -1) {
> +		goto out;
> +	}
> +	if (acl_add_perm (permset, ACL_READ) == -1) {
> +		goto out;
> +	}
> +	if (acl_set_permset (entry, permset) == -1) {
> +		goto out;
> +	}
> +
> +	res = acl_set_file (path, ACL_TYPE_ACCESS, acl);
> +
> + out:
> +	acl_free (acl);
> +	if (res != 0) {
> +		fprintf (stderr, "Unable to set ACL of aquired file: %s: %s\n",
> +			 path,
> +			 strerror (errno));
> +	}
> +
> +#endif
> +	return res;
> +}
> +
>  int
>  main (int argc, char *argv[])
>  {
> @@ -313,6 +458,8 @@ main (int argc, char *argv[])
>  	const char *user;
>  #endif
>  
> +	user = NULL;
> +
>  	printf ("%s\n", BANNER);
>  
>  	if (argc == 1) {
> @@ -456,13 +603,18 @@ main (int argc, char *argv[])
>  
>  	}
>  	if (tfdata.mode == MODE_ACQUIRE) {
> +		umask (0077);
>  		retval = acquire (&tfdata);
> +		if (retval == 0 && user != NULL) {
> +			set_permissions_for_user (tfdata.bir, user);
> +		}
>  	} else if (tfdata.mode == MODE_VERIFY) {
>  		retval = verify (&tfdata);
>  	} else {
>  		usage (argv[0]);
>  		retval = -1;
>  	}
> +
>  out:
>  	exit (retval);
>  }
> Index: tf-tool/Makefile.am
> ===================================================================
> --- tf-tool/Makefile.am	(revision 96)
> +++ tf-tool/Makefile.am	(working copy)
> @@ -3,5 +3,5 @@ sbin_PROGRAMS = tf-tool
>  INCLUDES = -I$(top_srcdir)/libthinkfinger
>  
>  tf_tool_SOURCES = tf-tool.c
> -tf_tool_LDADD = $(top_builddir)/libthinkfinger/libthinkfinger.la 
> +tf_tool_LDADD = $(ACL_LIBS)
$(top_builddir)/libthinkfinger/libthinkfinger.la 
>  tf_tool_CFLAGS = $(CFLAGS)
> Index: configure.in
> ===================================================================
> --- configure.in	(revision 96)
> +++ configure.in	(working copy)
> @@ -71,6 +71,11 @@ AC_ARG_ENABLE(securedir, AC_HELP_STRING(
>  # AC_ARG_ENABLE_BIR_DIR
>  AC_ARG_ENABLE(birdir, AC_HELP_STRING([--with-birdir=dir],[Where to put
the biometric identification records (bir files)
@<:@default=$sysconfdir/pam_thinkfinger@:>@]))
>  
> +# Check for libacl
> +AC_CHECK_HEADERS(sys/acl.h)
> +AC_CHECK_LIB(acl, acl_set_file, [ACL_LIBS="-lacl"], AC_MSG_ERROR([libacl
missing]))
> +AC_SUBST(ACL_LIBS)
> +
>  # Check for libusb using pkg-config
>  PKG_CHECK_MODULES(USB, libusb >= 0.1.11, usb_found=yes,
AC_MSG_ERROR([libusb missing]))
>  
> @@ -170,6 +175,7 @@ AM_CONDITIONAL(HAVE_OLD_PAM, test "x$HAV
>  AC_CONFIG_FILES([Makefile
>  		README
>  		INSTALL
> +		data/Makefile
>  		docs/Makefile
>  		docs/autodocs/Makefile
>  		libthinkfinger/Makefile
> Index: Makefile.am
> ===================================================================
> --- Makefile.am	(revision 96)
> +++ Makefile.am	(working copy)
> @@ -1,5 +1,5 @@
> -if BUILD_PAM 
> +if BUILD_PAM
>    PAM_SUBDIR=pam
>  endif
>  
> -SUBDIRS = docs libthinkfinger tf-tool $(PAM_SUBDIR)
> +SUBDIRS = data docs libthinkfinger tf-tool $(PAM_SUBDIR)
> Index: data/60-thinkfinger.perms
> ===================================================================
> --- data/60-thinkfinger.perms	(revision 0)
> +++ data/60-thinkfinger.perms	(revision 0)
> @@ -0,0 +1,4 @@
> +=/dev/input/thinkfinger-*
> +=/dev/uinput /dev/misc/uinput /dev/input/uinput
> + 0600  0600 root
> + 0600  0600 root
> Index: data/60-thinkfinger.rules
> ===================================================================
> --- data/60-thinkfinger.rules	(revision 0)
> +++ data/60-thinkfinger.rules	(revision 0)
> @@ -0,0 +1,11 @@
> +#
> +# udev rules file for the thinkfinger fingerprint scanner
> +#
> +
> +ACTION!="add", GOTO="thinkfinger_rules_end"
> +SUBSYSTEM!="usb_device", GOTO="thinkfinger_rules_end"
> +
> +# SGS Thomson Microelectronics Fingerprint Reader
> +SYSFS{idVendor}=="0483", SYSFS{idProduct}=="2016",
SYMLINK+="input/thinkfinger-%k"
> +
> +LABEL="thinkfinger_rules_end"
> Index: data/Makefile.am
> ===================================================================
> --- data/Makefile.am	(revision 0)
> +++ data/Makefile.am	(revision 0)
> @@ -0,0 +1,9 @@
> +## Process this file with automake to produce Makefile.in
> +
> +udevrulesdir = $(sysconfdir)/udev/rules.d
> +udevrules_DATA = 60-thinkfinger.rules
> +
> +consolepermsdir = $(sysconfdir)/security/console.perms.d
> +consoleperms_DATA = 60-thinkfinger.perms
> +
> +EXTRA_DIST = 60-thinkfinger.rules 60-thinkfinger.perms
> Index: autogen.sh
> ===================================================================
> --- autogen.sh	(revision 96)
> +++ autogen.sh	(working copy)
> @@ -7,3 +7,5 @@ autoheader
>  aclocal
>  automake --add-missing
>  autoconf
> +
> +./configure $@
> Index: pam/pam_thinkfinger.c
> ===================================================================
> --- pam/pam_thinkfinger.c	(revision 96)
> +++ pam/pam_thinkfinger.c	(working copy)
> @@ -146,14 +146,13 @@ static void thinkfinger_thread (void *da
>  		pam_thinkfinger->swipe_retval = PAM_AUTH_ERR;
>  		pam_thinkfinger_log (pam_thinkfinger, LOG_NOTICE,
>  				     "User '%s' verification failed (0x%x).", pam_thinkfinger->user,
tf_state);
> -		goto out;
>  	}
>  
>  	ret = uinput_cr (&pam_thinkfinger->uinput_fd);
>  	if (ret != 0)
>  		pam_thinkfinger_log (pam_thinkfinger, LOG_ERR,
>  				     "Could not send carriage return via uinput: %s.", strerror
(ret));
> -out:
> +
>  	pam_thinkfinger_log (pam_thinkfinger, LOG_NOTICE,
>  			     "%s returning '%d': %s.", __FUNCTION__,
pam_thinkfinger->swipe_retval,
>  			     pam_thinkfinger->swipe_retval ? pam_strerror
(pam_thinkfinger->pamh, pam_thinkfinger->swipe_retval) : "success");
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Thinkfinger-devel mailing list
> [email protected]rg
> https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
 
CD: 3ms