Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

The current state of fprintd and dbus on Devuan

bgstack15

Comments

Problem description

A fresh Devuan unstable installation with fprintd will fail to let a user enroll fingerprints. First of all, make sure you Disable "Predesktop authentication" in the BIOS.

The current error will resemble the following.

$ fprintd-enroll 
Using device /net/reactivated/Fprint/Device/0
failed to claim device: GDBus.Error:net.reactivated.Fprint.Error.Internal: Open failed with error: transfer failed

OK, so a policykit/dbus problem then. I thought we solved that already.

So you might be tempted to just install policykit-1-gnome and call it a day. That works, as long as you enter your password for every fprintd interaction. Every. Single. One.

Solution

My policy file was incorrect or out of date or something. I swear it used to work, but now I need this:

files/2024/listings/80-fprintd.rules (Source)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
/*
.. File: 80-fprintd.rules
.. Startdate: 2023-01-12-5 15:59
.. History:
..    2024-09-24 updated for current correctness required
.. Purpose: replaced fprintd.pkla for bgconf 0.1.34
.. Origin: placed by fingerprint-scanner.sh
*/
polkit.addRule(function(action, subject) {
   if (
         (
            action.id.match("net.reactivated.fprint.device.enroll") ||
            action.id.match("net.reactivated.fprint.device.verify")
         ) && subject.active) {
      polkit.log("action=" + action);
      polkit.log("subject=" + subject);
      return polkit.Result.YES;
   }
});
polkit.addRule(function(action, subject) {
   if (
         (
            action.id.match("net.reactivated.fprint.device.setusername")
         ) && subject.active && subject.isInGroup("admins")) {
      polkit.log("action=" + action);
      polkit.log("subject=" + subject);
      return polkit.Result.YES;
   }
});

Auxiliary

Check the policykit rule more directly without having to do the enroll action:

pkcheck -u -p $$ -a net.reactivated.fprint.device.enroll

I almost went down the route of modify the /usr/share files placed down by package fprintd:

xmlstarlet edit --inplace --update "/policyconfig/action[@id=\"net.reactivated.fprint.device.enroll\"]/defaults/allow_active" --value "auth_self_keep" /usr/share/polkit-1/actions/net.reactivated.fprint.device.policy

Which would get replaced at every package update, and also requires a restart of dbus anyways which is a pain. Clearly dbus is not a unixy-thing; some things will never work again after a dbus restart, until you reboot.

Footnotes

It took me hours to learn all this. That was not how I intended to use a weekend afternoon.

References

  1. polkit - ArchWiki
  2. Example polkit rules.md
  3. opensuse - How to restart polkitd? - Unix & Linux Stack Exchange

Comments