[Fingerforce-devel] libpam-thinkfinger/libpam-fprint and screensavers

Luca Capello luca at pca.it
Mon Mar 3 15:54:55 UTC 2008 

Hi Dererk!

On Mon, 03 Mar 2008 02:43:35 +0100, dererk wrote:
> On Sun, Mar 02, 2008 at 11:54:12PM +0100, Luca Capello wrote:
>> 1) permissions for the USB device
>> 
>>    Both ThinkFinger and fprint needs special permissions for the USB
>>    device, otherwise they cannot access it.  I filed bug #469043 [3]
>>    only for ThinkFinger, since questionable is which group should own
>>    the USB device, a 'fingerprint' one or a "more general" one like
>>    'plugdev'.  As soon as a solution has been found, the same should be
>>    included in fprint as well.  Moreover, since this is critical to use
>>    the device (and the library) with any program, I'm for adding the
>>    udev rule (and the group creation) into the main library package.
>
> Believe it or not, yesterday morning I was sharing this concern with
> Xerakko.
> I was just about to mail team about this exact matter (plus Daniel's
> async libusb, that should be discussed soon), what a bloody casuality
> :-)

Let's say we don't need to (re)sync our mind ;-)

> I agree w/ you that 'plugdev' meets our need very well,

One reason in favor of a new group 'fingerprint' is that a more specific
access can be granted, i.e. an access restricted to the fingerprint
device and not all the 'plugdev' devices.  But I don't see why an
administrator would do that, since either she/he completely disables
fingerprint authentication or each user should be able to decide by
herself/himself.

We can also start with 'plugdev' and then switch to 'fingerprint' if
there will be a valid reason to do so.

> something not nice it implies refers to the creation of a new udev
> rule per scanning device supported by thinkfinger/fprint.
>
> I though it would be quite disgusting at first but, we'll have to
> upload a new libfprint pkg with every new supported gadget anyway, so,
> it's not a big trouble I think.

Another solution would be an automatic udev rule generator like the
/usr/lib/libgphoto2/print-camera-list executable: fprint should be able
to output a list of supported devices, identifying them by USB IDs
(vendor:product).

> Do you see any possible problem by doing this?
> It there any kind of impediment to apply to this right now?

No, except that the rule I provided at bug #469043 [1] should be changed
to use ATTRS instead of SYSFS [2] and permissions 0664 [3], thus:

--8<---------------cut here---------------start------------->8---
# SGS Thomson Microelectronics Fingerprint Reader
ATTRS{idVendor}=="0483", ATTRS{idProduct}=="2016", MODE="0664", GROUP="plugdev"
--8<---------------cut here---------------end--------------->8---

If you don't mind, I'll prepare a test package for both ThinkFinger and
fprint with the correct udev rules and then test them before committing
to the FingerForce SVN repository ;-)

Thx, bye,
Gismo / Luca

Footnotes: 
[1] http://bugs.debian.org/469043
[2] this is the semantic used by rules in the 'udev' package
[3] because anyway every user should have read permission on the device,
    even if there's actually a bug in Debian about that:
      http://bugs.debian.org/444809

More information about the Fingerforce-devel mailing list