Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Fprintd and old policykit

On my Thinkpad X230 Tablet running Devuan GNU+Linux, I could see my fingerprint reader but my user did not have permission to enroll fingers. I would get this error:

$ fprintd-enroll --finger right-thumb
Using device /net/reactivated/Fprint/Device/0
Enrolling right-thumb finger.
EnrollStart failed: GDBus.Error:net.reactivated.Fprint.Error.PermissionDenied: Not Authorized: net.reactivated.fprint.device.enroll

Clearly the device is accessible to the root user.

$ sudo fprintd-enroll --finger right-thumb
Using device /net/reactivated/Fprint/Device/0
Enrolling right-thumb finger.

I am used to working with PolicyKit, so I whipped up a .rules file! This is file /usr/share/polkit-1/rules.d/80-fprintd.rules.

polkit.addRule(function(action, subject) {
   if (action.id.indexOf("net.reactivated.fprint.") == 0 || action.id.indexOf("net.reactivated.Fprint.") == 0) {
      polkit.log("action=" + action);
      polkit.log("subject=" + subject);
      return polkit.Result.YES;
   }
});

Unfortunately, it didn't fix my problem! I recalled that Debian uses an older version of PolicyKit (technically the name of the old package, before it was rewritten or renamed to polkit). So I had to go learn how to write a .pkla file. This goes in file /etc/polkit-1/localuthority/20-org.d/fprintd.pkla

[Everyone fingerprints]
Identity=unix-group:*
Action=net.reactivated.fprint.device.*
ResultAny=yes
ResultInactive=no
ResultActive=yes

No daemon restarts are necessary. Just define this file with these contents, and now the fingerprint reader enrollment is available to all users!

References

Man pages

  1. pklocalauthority(8)

Comments