Open nomeata opened 2 years ago
divVerent
commented
2 years ago This is an interesting request; I do not yet know how this can work though, as PAM does not have a cancel API. Maybe pam_fprintd just catches SIGINT?
I will check out source code of pam_fprintd to find out more about this.
nomeata
commented
2 years ago Yes, I think that's precisely how these pam modules work around that issue. But better check, I am only relaying heresay :-)
divVerent
commented
2 years ago Can't find anything on https://github.com/dsd/fprintd/tree/master/pam that handles SIGINT. Too bad I don't have a FP reader myself, or I could try with that.
divVerent
commented
2 years ago Hm... can you try one thing:
Does this enter the password query faster? Or does it reset/exit the auth flow?
If not, try also: "sleep 10; pkill -TERM authproto_pam".
nomeata
commented
2 years ago In both cases the auth flow gets reset. xsecurelock prints
2022-06-09T20:22:00Z 74469 xsecurelock: authproto child killed by signal 2.
2022-06-09T20:22:00Z 74464 xsecurelock: auth child failed with status 1.resp.
2022-06-09T20:22:16Z 74511 xsecurelock: authproto child killed by signal 15.
2022-06-09T20:22:16Z 74506 xsecurelock: auth child failed with status 1.With sudo it works as advertised:
~ $ sudo -s
Legen Sie Ihren rechten Zeigefinger auf den Fingerabdruckleser
^Cjojo@riviera: OK, so we know it is not that simple.
I do wonder how the Ctrl+C then works. Can you reproduce it with sudo as follows:
now do NOT press the finger, but run "ps waxwuf | grep -10 sudo"
Does that show any subprocesses related to pam_fprintd?
On Thu, Jun 9, 2022, 16:23 Joachim Breitner @.***> wrote:
In both cases the auth flow gets reset. xsecurelock prints
2022-06-09T20:22:00Z 74469 xsecurelock: authproto child killed by signal 2. 2022-06-09T20:22:00Z 74464 xsecurelock: auth child failed with status 1.
resp.
2022-06-09T20:22:16Z 74511 xsecurelock: authproto child killed by signal 15. 2022-06-09T20:22:16Z 74506 xsecurelock: auth child failed with status 1.
— Reply to this email directly, view it on GitHub https://github.com/google/xsecurelock/issues/145#issuecomment-1151582033, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5NMBA2WRCRXU4VDRVDWTVOJHEFANCNFSM5YJK2WHQ . You are receiving this because you commented.Message ID: @.***>
nomeata
commented
2 years ago In https://gitlab.freedesktop.org/libfprint/fprintd/-/tags/v1.92.0 I see
- pam: Cancel authentication on SIGINT (e.g. ctrl+c with sudo)
this is the commit I think https://github.com/freedesktop/libfprint-fprintd/commit/657f58fd648e35417ce7266b9c1558ce497dc179
nomeata
commented
2 years ago Does that show any subprocesses related to pam_fprintd?
No:
~ $ ps waxwuf | grep -10 sudo
jojo 14128 0.0 0.7 1965648 114132 ? Ssl Jun08 0:09 \_ /nix/store/hw4s8wbdqs53i8pa51wj68qh8q4sdwx3-evolution-data-server-3.44.2/libexec/evolution-calendar-factory
jojo 14155 0.0 0.5 1066968 84636 ? Ssl Jun08 0:00 \_ /nix/store/hw4s8wbdqs53i8pa51wj68qh8q4sdwx3-evolution-data-server-3.44.2/libexec/evolution-addressbook-factory
jojo 18093 0.3 0.0 1270928 12876 ? S<sl Jun08 7:45 \_ /nix/store/vh6c7crg5gra9gjfnnrldvqbnjbwvj5d-pulseaudio-15.0/bin/pulseaudio --daemonize=no --log-target=journal
jojo 18100 0.0 0.0 237436 6292 ? Sl Jun08 0:00 | \_ /nix/store/vh6c7crg5gra9gjfnnrldvqbnjbwvj5d-pulseaudio-15.0/libexec/pulse/gsettings-helper
jojo 36061 0.0 0.6 895728 100208 ? Sl Jun08 0:13 \_ evince calculus.pdf
jojo 36067 0.0 0.0 155396 3188 ? Sl Jun08 0:00 \_ /nix/store/yc7296zjx8aqqqp7nf9ai6p8ym6ww98h-evince-42.3/libexec/evinced
root 54553 0.0 0.0 372436 932 ? Ss 10:58 0:00 \_ gpg-agent --homedir /root/.gnupg --use-standard-socket --daemon
jojo 54873 0.0 0.0 449492 5380 ? Sl 11:01 0:00 \_ xss-lock -l -- xsecurelock
jojo 74259 0.3 0.3 697232 51724 ? Rsl 22:20 0:01 \_ /nix/store/cv48kxfz5f2iqlgf6vy72glnnld4vdhg-gnome-terminal-3.44.1/libexec/gnome-terminal-server
jojo 74282 0.0 0.0 235048 14652 pts/1 Ss 22:20 0:00 \_ bash
root 75215 0.0 0.0 225916 4212 pts/1 S+ 22:25 0:00 | \_ sudo -s
jojo 74330 0.0 0.0 235044 14640 pts/2 Ss 22:20 0:00 \_ bash
jojo 75222 0.0 0.0 227768 4184 pts/2 R+ 22:26 0:00 \_ ps waxwuf
jojo 75223 0.0 0.0 223612 2780 pts/2 S+ 22:26 0:00 \_ grep --color=auto -10 sudo
jojo 1339 0.0 0.0 454988 6148 ? SLl Jun08 0:00 gnome-keyring-daemon --start --daemonize --components=secrets,pkcs11
root 1367 0.0 0.0 241512 8440 ? Ssl Jun08 0:01 /nix/store/3w1vrsb97852v1nah1hi6g2la9zbdwl6-upower-0.99.17/libexec/upowerd
rtkit 1535 0.0 0.0 154324 2532 ? SNsl Jun08 0:01 /nix/store/kf5m1bsgi1npscwvk1mbcmmdg2mz9fhp-rtkit-0.13/libexec/rtkit-daemon
root 2059 0.0 0.1 505360 22408 ? Ssl Jun08 0:00 nix-daemon --daemon
jojo 14117 0.0 0.3 1090196 62196 ? Sl Jun08 0:02 /nix/store/hw4s8wbdqs53i8pa51wj68qh8q4sdwx3-evolution-data-server-3.44.2/libexec/evolution-data-server/evolution-alarm-notify
polkitu+ 52566 0.0 0.1 2995768 16652 ? Ssl 10:48 0:00 /nix/store/6lrwrz4qxw6gmyhjp49dgr07wh6wis35-polkit-0.120/lib/polkit-1/polkitd --no-debug
root 52582 0.0 0.0 454100 5324 ? Ssl 10:48 0:00 /nix/store/8nvrg38cd1i1apn6mbpsrraf1n5fg2r6-accountsservice-22.08.8/libexec/accounts-daemon
root 75216 0.6 0.0 588000 9844 ? Ssl 22:25 0:00 /nix/store/ak1j194wmjb5py2820x4a7rlmiv2zz4f-fprintd-1.94.2/libexec/fprintdBut then the "pkill -INT authproto_pam" way should have worked...
That is odd then.
On Thu, Jun 9, 2022, 16:26 Joachim Breitner @.***> wrote:
In https://gitlab.freedesktop.org/libfprint/fprintd/-/tags/v1.92.0 I see
- pam: Cancel authentication on SIGINT (e.g. ctrl+c with sudo)
this is the commit I think @.*** https://github.com/freedesktop/libfprint-fprintd/commit/657f58fd648e35417ce7266b9c1558ce497dc179
— Reply to this email directly, view it on GitHub https://github.com/google/xsecurelock/issues/145#issuecomment-1151584153, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5NMEQJ4IOFNG5ZMNSXNDVOJHNLANCNFSM5YJK2WHQ . You are receiving this because you commented.Message ID: @.***>
nomeata
commented
2 years ago Maybe the problem isn’t that the pam module doesn't handle it, but that authroto_pam also gets the signal, and dies, while sudo (just guessing here) doesn’t die with SIGINT while pam is running.
nomeata
commented
2 years ago Indeed, I can make sudo behave that way not just with Ctrl-C, but also with sudo kill -INT $(pgrep sudo) (I need to run this as root because sudo runs as root)
nomeata
commented
2 years ago divVerent
commented
2 years ago Ah, yes - so it seems like pam_fprintd only does half the work by using signalfd() - the signal also needs to be sigprocmask()d by the caller.
That we can do.
On Thu, Jun 9, 2022, 16:35 Joachim Breitner @.***> wrote:
https://www.sudo.ws/repos/sudo/rev/524d95ac222e might be relevant
— Reply to this email directly, view it on GitHub https://github.com/google/xsecurelock/issues/145#issuecomment-1151593531, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5NMGNQ5N33CEKROXTRS3VOJIPJANCNFSM5YJK2WHQ . You are receiving this because you commented.Message ID: @.***>
divVerent
commented
1 year ago Can you try the change I just pushed to branch ctrl-c?
On Thu, Jun 9, 2022 at 1:39 PM Rudolf Polzer @.***> wrote:
Ah, yes - so it seems like pam_fprintd only does half the work by using signalfd() - the signal also needs to be sigprocmask()d by the caller.
That we can do.
On Thu, Jun 9, 2022, 16:35 Joachim Breitner @.***> wrote:
https://www.sudo.ws/repos/sudo/rev/524d95ac222e might be relevant
— Reply to this email directly, view it on GitHub https://github.com/google/xsecurelock/issues/145#issuecomment-1151593531, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5NMGNQ5N33CEKROXTRS3VOJIPJANCNFSM5YJK2WHQ . You are receiving this because you commented.Message ID: @.***>
nomeata
commented
1 year ago Hmm, doesn't quite seem to work.
I start xsecurelock, move the mouse to be prompted for the finger print. Then I press Ctrl-C.
At this point, nothing changes in the view, but the finger print doesn’t do anything (my hypothesis: the auth helper is killed, but the display is not redrawn).
If I now move the mouse again, the prompt appears again, slightly moved (a feature of xsecurelock), and I am asked to put the fingerprint there.
When I unlock, the console says
2022-10-11T09:17:19Z 845286 xsecurelock: auth child killed by signal 2.So it looks like Ctrl-C takes the auth child down completely, rather than just interrupting one pam interaction?
divVerent
commented
1 year ago That is helpful - gotta investigate further.
On Tue, Oct 11, 2022, 11:19 Joachim Breitner @.***> wrote:
Hmm, doesn't quite seem to work.
I start xsecurelock, move the mouse to be prompted for the finger print. Then I press Ctrl-C. At this point, nothing changes in the view, but the finger print doesn’t do anything (my hypothesis: the auth helper is killed, but the display is not redrawn). If I now move the mouse again, the prompt appears again, slightly moved (a feature of xsecurelock), and I am asked to put the fingerprint there.
When I unlock, the console says
2022-10-11T09:17:19Z 845286 xsecurelock: auth child killed by signal 2.
So it looks like Ctrl-C takes the auth child down completely, rather than just interrupting one pam interaction?
— Reply to this email directly, view it on GitHub https://github.com/google/xsecurelock/issues/145#issuecomment-1274384825, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5NMCIMZEWUBR5Z2G2GQDWCUWK3ANCNFSM5YJK2WHQ . You are receiving this because you commented.Message ID: @.***>
I started using the fingerprint scanner on my laptop, with a pam configuration like this:
With, say,
sudoI can use Ctrl-C to abort the fingerprint prompt if I want to use my password (say, my finger is bandaged, or the fingerprint scanner is somehow unreachable).With
xsecurelock, the best I can do is to use a wrong finger three times to make the first pam entry fail, and then I can use my password.It would be nice if I could instruct
xsecurelockto abort the fingerprint reader prompt, e.g. by pressing Esc.