[Maverick regression] Fingerprint authentication (libpam-thinkfinger, libpam-fprint & libpam-fprintd) not working with basic sudo

Bug #609645 reported by Noel J. Bergman on 2010-07-25
This bug affects 26 people
Affects Status Importance Assigned to Milestone
pam-fprint (Ubuntu)
sudo (Debian)
sudo (Ubuntu)

Bug Description

Binary package hint: libpam-fprint

I've been using thinkfinger for many releases, and fprint since Lucid (since Ubuntu chose to no longer support thinkfinger). It was working with Maverick until recently. At present, fprint will be used for login and graphical apps such as update-manager, but when I run sudo from a terminal, I am immediately prompted for a password.

I have checked the behavior with both the standard fprint packages and those from the fprint team PPA, including replacing libpam-fprint with the new libpam-fprintd. The behavior remains consistent. I am prompted for a fingerprint *except* when using sudo.

So, to be clear, I performed all of the steps here https://launchpad.net/~fingerprint/+archive/fprint?field.series_filter=maverick and when I get to step 8, everything works EXCEPT for sudo.

Related branches

CVE References

Noel J. Bergman (noeljb) wrote :

Currently installed versions:

$ dpkg -l | grep fprint
ii fprint-demo 1:0.4+git20080303-0~ppa2~maverick1 GUI to show and test libfprint's capabilitie
ii fprintd 0.0.0+git20090124-0~ppa3~maverick1 D-Bus daemon for fingerprint reader access
ii libfprint0 1:0.1.0~pre2-0~ppa9~maverick1 fingerprint library of fprint project, share
ii libpam-fprintd 0.0.0+git20090124-0~ppa3~maverick1 PAM module for fprintd

summary: - libpam-fprint
+ libpam-fprint not working with basic sudo
summary: - libpam-fprint not working with basic sudo
+ [Maverick regression] libpam-fprint & libpam-fprintd not working with
+ basic sudo
tags: added: regression-potential

OK, I've now also tested this with thinkfinger, which was newly updated and posted.

Thinkfinger and fprint are both working for login, both working for authentication with update manager, et al, and NEITHER is working with sudo from the command line, leading me to believe that the actual defect is common to both.

This regression is unique to Maverick.

summary: - [Maverick regression] libpam-fprint & libpam-fprintd not working with
- basic sudo
+ [Maverick regression] Fingerprint authentication (libpam-thinkfinger,
+ libpam-fprint & libpam-fprintd) not working with basic sudo
Noel J. Bergman (noeljb) wrote :

I've also tested against fprint in the latest Fedora, and this is still a problem unique to Maverick.

Mingming Ren (portis25) on 2010-08-18
Changed in pam-fprint (Ubuntu):
status: New → Confirmed
Changed in sudo (Ubuntu):
status: New → Confirmed
David Jurenka (jurenka) wrote :

Looks like a bug in sudo, introduced in version 1.7.2p2. Here's an upstream bug report:
And similar reports for Fedora, Debian and Arch:

Changed in pam-fprint (Ubuntu):
status: Confirmed → Invalid
Mingming Ren (portis25) wrote :
tags: added: patch
Changed in sudo (Ubuntu):
importance: Undecided → Medium
affects: pam-fprint (Debian) → sudo (Debian)
Sesivany (jiri-eischmann) wrote :

The problem still remains in maverick. Is it going to be fixed since a patch is provided?

Changed in sudo (Debian):
status: Unknown → Confirmed
kirschjoghurt (daniel-bavrin) wrote :

maverick, thinkpad T60, same trouble. hope they'll release an update of "sudo" soon.

Noel J. Bergman (noeljb) on 2010-10-13
tags: added: regression-release
removed: regression-potential
jedioetzi (jedioetzi) wrote :

with lucid I used fprint for authentication with sudo gksudo
after migrate to maverick (and keeping the same fprint packages) sudo asks directly for password
the same for synaptic.
gdm login, ubuntu-tweak, user settings, are working with fprint like before

jedioetzi (jedioetzi) wrote :

I must rollback my assertion 'keeping the same fprint packages': they are changed.

Now I installed the package fingerprint-gui and it WORKS with sudo too!

maverick, dell xps 1330, same trouble.

Agrv (agrv) wrote :

Ubuntu 10.10 amd64 on Toshiba X200, same problem : libpam-thinkfinger only works for gdm login, no more for sudo or gksudo. I tried fingerprint-gui but it is not an acceptable workaround as it blocks session disconnection and screensaver unlocking. Is there a way to make thinkfinger work on sudo and gksudo again ? Thanks for your help.

Noel J. Bergman (noeljb) wrote :

I tested the upstream patch against the current sudo package in Maverick, and it works. I can upload a debdiff.

Noel J. Bergman (noeljb) wrote :

Attached is a debdiff containing the upstream fix for allowing sudo to work again with fprint(d) and thinkfinger.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.4p4-5ubuntu1

sudo (1.7.4p4-5ubuntu1) natty; urgency=low

  * Merge from debian unstable (LP: #689025), remaining changes:
    - debian/rules:
      + compile with --without-lecture --with-tty-tickets (Ubuntu specific)
      + install man/man8/sudo_root.8 (Ubuntu specific)
      + install apport hooks
    - debian/sudo-ldap.dirs, debian/sudo.dirs: add
  * This upload also fixes: LP: #609645

sudo (1.7.4p4-5) unstable; urgency=low

  * patch from Jakub Wilk to add noopt and nostrip build option support,
    closes: #605580
  * make sudoers a conffile, closes: #605130
  * add descriptions to LSB init headers, closes: #604619
  * change default sudoers %sudo entry to allow gid changes, closes: #602699
  * add Vcs entries to the control file
  * use debhelper install files instead of explicit installs in rules

sudo (1.7.4p4-4) unstable; urgency=low

  * patch from upstream to resolve problem always prompting for a password
    when run without a tty, closes: #599376
  * patch from upstream to resolve interoperability problem between HOME in
    env_keep and the -H flag, closes: #596493
  * change path syntax to avoid tar error when /var/run/sudo exists but is
    empty, closes: #598877

sudo (1.7.4p4-3) unstable; urgency=low

  * make postinst clause for handling /var/run -> /var/lib transition less
    fragile, closes: #585514
  * cope with upstream's Makefile trying to install ChangeLog in our doc
    directory, closes: #597389
  * fix README.Debian to reflect that HOME is no longer preserved by default,
    closes: #596847

sudo (1.7.4p4-2) unstable; urgency=low

  * add a NEWS item about change in $HOME handling that impacts programs
    like pbuilder

sudo (1.7.4p4-1) unstable; urgency=high

  * new upstream version, urgency high due to fix for flaw in Runas group
    matching (CVE-2010-2956), closes: #595935
  * handle transition of /var/run/sudo to /var/lib/sudo better, to avoid
    re-lecturing existing users, and to clean up after ourselves on upgrade,
    and remove the RAMRUN section from README.Debian since the new state dir
    should fix the original problem, closes: #585514
  * deliver README.Debian to both package flavors, closes: #593579
 -- Lorenzo De Liso <email address hidden> Wed, 15 Dec 2010 21:32:57 +0100

Changed in sudo (Ubuntu):
status: Confirmed → Fix Released
Woonjas (woonjas) wrote :

Any idea when this fix will make it to the repositories?

David Jurenka (jurenka) wrote :

The following PPA contains a fixed package for Maverick.

I can confirm that fix from David Jurenka's ppa works! Thanks David!

Forlong (forlong) wrote :

David Jurenka's ppa sudo package works here as well but gksu is still not working, so I'm adding it as also affected.

David Jurenka (jurenka) wrote :

The fact that gksu does not support alternative means of authentication has nothing to do with this regression in sudo. Relevant bug for that issue is #86843. The solution is to use gksu-polkit, a successor to gksu, instead.

Changed in gksu:
status: New → Invalid
Forlong (forlong) wrote :

Could you please tell me then how to use gksu-polkit?
  gksu-polkit synpatic
  gksu-polkit /usr/bin/synpatic
does not work:

»Failed to execute child process "/usr/bin/synaptic" (No such file or directory)«

David Jurenka (jurenka) wrote :

Synaptic is in /usr/sbin and full path is required, hence “gksu-polkit /usr/sbin/synaptic”.

Forlong (forlong) wrote :

Thank you very much. Is there a reason, why plain 'synaptic' doesn't work with gksu-polkit? Security related maybe?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.