Bug 89407 - password should be required to change fingerprints
Summary: password should be required to change fingerprints
Status: RESOLVED MOVED
Alias: None
Product: libfprint
Classification: Unclassified
Component: fprintd (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: libfprint-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
: 103627 105418 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-03-03 11:46 UTC by Ondrej Holy
Modified: 2018-05-31 08:58 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ondrej Holy 2015-03-03 11:46:59 UTC
No password is necessary to config the fingerprint reader. I think this is a security issue:

1. Persons with physical access can scan their own fingerprint. So they can do everything that is allowed for this specific user.

2. If the user owns system privileges (sudo) the person has access to the hole system.

Originally reported:
https://bugzilla.gnome.org/show_bug.cgi?id=745348
Comment 1 tim 2015-03-07 12:04:18 UTC
In Debian and Fedora you can use your fingerprint also in terminal. In Arch I cannot reproduce this behaviour. There must be a differences regarding implementation of the software.
Comment 2 Bastien Nocera 2016-10-13 15:10:03 UTC
People cried foul in 2011, but didn't test the recommended work-around:
https://bugzilla.gnome.org/show_bug.cgi?id=651196#c4

First, gnome-control-center was calling EnrollStart without allowing for authentication, which means the request would always fail.

After fixing that, when enrolling, fprintd would request a polkit authentication synchronously to the polkit agent (usually gnome-shell) which would spawn a PAM conversation, which includes pam_fprintd by default. pam_fprintd would be trying to call out to fprintd, which is still waiting for the polkit response.

This would require fprintd changes to make all the polkit permission checks asynchronous, which means it's harder than simply changing a configuration file.
Comment 3 Bastien Nocera 2017-11-08 21:08:15 UTC
*** Bug 103627 has been marked as a duplicate of this bug. ***
Comment 4 Bastien Nocera 2018-03-09 14:44:31 UTC
*** Bug 105418 has been marked as a duplicate of this bug. ***
Comment 5 GitLab Migration User 2018-05-31 08:58:09 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/libfprint/fprintd/issues/5.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.