Allow aborting/skipping one pam module
nomeata opened this issue · comments
I started using the fingerprint scanner on my laptop, with a pam configuration like this:
auth sufficient /nix/store/ak1j194wmjb5py2820x4a7rlmiv2zz4f-fprintd-1.94.2/lib/security/pam_fprintd.so
auth sufficient pam_unix.so nullok likeauth try_first_pass
auth required pam_deny.so
With, say, sudo I can use Ctrl-C to abort the fingerprint prompt if I want to use my password (say, my finger is bandaged, or the fingerprint scanner is somehow unreachable).
With xsecurelock, the best I can do is to use a wrong finger three times to make the first pam entry fail, and then I can use my password.
It would be nice if I could instruct xsecurelock to abort the fingerprint reader prompt, e.g. by pressing Esc.
This is an interesting request; I do not yet know how this can work though, as PAM does not have a cancel API. Maybe pam_fprintd just catches SIGINT?
I will check out source code of pam_fprintd to find out more about this.
Yes, I think that's precisely how these pam modules work around that issue. But better check, I am only relaying heresay :-)
Can't find anything on https://github.com/dsd/fprintd/tree/master/pam that handles SIGINT. Too bad I don't have a FP reader myself, or I could try with that.
Hm... can you try one thing:
- Run "sleep 10; pkill -INT authoroto_pam
- Lock the screen
- Let fingerprint timeout after 10 seconds.
Does this enter the password query faster? Or does it reset/exit the auth flow?
If not, try also: "sleep 10; pkill -TERM authproto_pam".
In both cases the auth flow gets reset. xsecurelock prints
2022-06-09T20:22:00Z 74469 xsecurelock: authproto child killed by signal 2.
2022-06-09T20:22:00Z 74464 xsecurelock: auth child failed with status 1.
resp.
2022-06-09T20:22:16Z 74511 xsecurelock: authproto child killed by signal 15.
2022-06-09T20:22:16Z 74506 xsecurelock: auth child failed with status 1.
With sudo it works as advertised:
~ $ sudo -s
Legen Sie Ihren rechten Zeigefinger auf den Fingerabdruckleser
^Cjojo@riviera:
In https://gitlab.freedesktop.org/libfprint/fprintd/-/tags/v1.92.0 I see
- pam: Cancel authentication on SIGINT (e.g. ctrl+c with sudo)
this is the commit I think https://github.com/freedesktop/libfprint-fprintd/commit/657f58fd648e35417ce7266b9c1558ce497dc179
Does that show any subprocesses related to pam_fprintd?
No:
~ $ ps waxwuf | grep -10 sudo
jojo 14128 0.0 0.7 1965648 114132 ? Ssl Jun08 0:09 \_ /nix/store/hw4s8wbdqs53i8pa51wj68qh8q4sdwx3-evolution-data-server-3.44.2/libexec/evolution-calendar-factory
jojo 14155 0.0 0.5 1066968 84636 ? Ssl Jun08 0:00 \_ /nix/store/hw4s8wbdqs53i8pa51wj68qh8q4sdwx3-evolution-data-server-3.44.2/libexec/evolution-addressbook-factory
jojo 18093 0.3 0.0 1270928 12876 ? S<sl Jun08 7:45 \_ /nix/store/vh6c7crg5gra9gjfnnrldvqbnjbwvj5d-pulseaudio-15.0/bin/pulseaudio --daemonize=no --log-target=journal
jojo 18100 0.0 0.0 237436 6292 ? Sl Jun08 0:00 | \_ /nix/store/vh6c7crg5gra9gjfnnrldvqbnjbwvj5d-pulseaudio-15.0/libexec/pulse/gsettings-helper
jojo 36061 0.0 0.6 895728 100208 ? Sl Jun08 0:13 \_ evince calculus.pdf
jojo 36067 0.0 0.0 155396 3188 ? Sl Jun08 0:00 \_ /nix/store/yc7296zjx8aqqqp7nf9ai6p8ym6ww98h-evince-42.3/libexec/evinced
root 54553 0.0 0.0 372436 932 ? Ss 10:58 0:00 \_ gpg-agent --homedir /root/.gnupg --use-standard-socket --daemon
jojo 54873 0.0 0.0 449492 5380 ? Sl 11:01 0:00 \_ xss-lock -l -- xsecurelock
jojo 74259 0.3 0.3 697232 51724 ? Rsl 22:20 0:01 \_ /nix/store/cv48kxfz5f2iqlgf6vy72glnnld4vdhg-gnome-terminal-3.44.1/libexec/gnome-terminal-server
jojo 74282 0.0 0.0 235048 14652 pts/1 Ss 22:20 0:00 \_ bash
root 75215 0.0 0.0 225916 4212 pts/1 S+ 22:25 0:00 | \_ sudo -s
jojo 74330 0.0 0.0 235044 14640 pts/2 Ss 22:20 0:00 \_ bash
jojo 75222 0.0 0.0 227768 4184 pts/2 R+ 22:26 0:00 \_ ps waxwuf
jojo 75223 0.0 0.0 223612 2780 pts/2 S+ 22:26 0:00 \_ grep --color=auto -10 sudo
jojo 1339 0.0 0.0 454988 6148 ? SLl Jun08 0:00 gnome-keyring-daemon --start --daemonize --components=secrets,pkcs11
root 1367 0.0 0.0 241512 8440 ? Ssl Jun08 0:01 /nix/store/3w1vrsb97852v1nah1hi6g2la9zbdwl6-upower-0.99.17/libexec/upowerd
rtkit 1535 0.0 0.0 154324 2532 ? SNsl Jun08 0:01 /nix/store/kf5m1bsgi1npscwvk1mbcmmdg2mz9fhp-rtkit-0.13/libexec/rtkit-daemon
root 2059 0.0 0.1 505360 22408 ? Ssl Jun08 0:00 nix-daemon --daemon
jojo 14117 0.0 0.3 1090196 62196 ? Sl Jun08 0:02 /nix/store/hw4s8wbdqs53i8pa51wj68qh8q4sdwx3-evolution-data-server-3.44.2/libexec/evolution-data-server/evolution-alarm-notify
polkitu+ 52566 0.0 0.1 2995768 16652 ? Ssl 10:48 0:00 /nix/store/6lrwrz4qxw6gmyhjp49dgr07wh6wis35-polkit-0.120/lib/polkit-1/polkitd --no-debug
root 52582 0.0 0.0 454100 5324 ? Ssl 10:48 0:00 /nix/store/8nvrg38cd1i1apn6mbpsrraf1n5fg2r6-accountsservice-22.08.8/libexec/accounts-daemon
root 75216 0.6 0.0 588000 9844 ? Ssl 22:25 0:00 /nix/store/ak1j194wmjb5py2820x4a7rlmiv2zz4f-fprintd-1.94.2/libexec/fprintd
Maybe the problem isn’t that the pam module doesn't handle it, but that authroto_pam also gets the signal, and dies, while sudo (just guessing here) doesn’t die with SIGINT while pam is running.
Indeed, I can make sudo behave that way not just with Ctrl-C, but also with sudo kill -INT $(pgrep sudo) (I need to run this as root because sudo runs as root)
Hmm, doesn't quite seem to work.
I start xsecurelock, move the mouse to be prompted for the finger print. Then I press Ctrl-C.
At this point, nothing changes in the view, but the finger print doesn’t do anything (my hypothesis: the auth helper is killed, but the display is not redrawn).
If I now move the mouse again, the prompt appears again, slightly moved (a feature of xsecurelock), and I am asked to put the fingerprint there.
When I unlock, the console says
2022-10-11T09:17:19Z 845286 xsecurelock: auth child killed by signal 2.
So it looks like Ctrl-C takes the auth child down completely, rather than just interrupting one pam interaction?