Hello o/ I'm trying to write an ssh-askpass replacement that requires fingerprint authentication. I looked at the sources of fprint-verify to learn about the protocol with dbus, but when I call GetDefaultDevice on the manager I get a permission error:
‣ Type=method_call Endian=l Flags=0 Version=1 Cookie=4 Timestamp="Mon
2022-04-04 08:04:17.416085 UTC"
Sender=:1.5384 Destination=:1.5384 Path=/net/reactivated/Fprint/Manager
Interface=net.reactivated.Fprint.Manager Member=GetDefaultDevice
UniqueName=:1.5384
MESSAGE "" {
};
‣ Type=error Endian=l Flags=1 Version=1 Cookie=5 ReplyCookie=4
Timestamp="Mon 2022-04-04 08:04:17.416148 UTC"
Sender=org.freedesktop.DBus Destination=:1.5384
ErrorName=org.freedesktop.DBus.Error.AccessDenied ErrorMessage="Rejected
send message, 1 matched rules; type="method_call", sender=":1.5384" (uid=1000
pid=1266175 comm="target/debug/fprint-test " label="kernel")
interface="net.reactivated.Fprint.Manager" member="GetDefaultDevice" error
name="(unset)" requested_reply="0" destination=":1.5384" (uid=1000 pid=1266175
comm="target/debug/fprint-test " label="kernel")"
MESSAGE "s" {
STRING "Rejected send message, 1 matched rules; type="method_call",
sender=":1.5384" (uid=1000 pid=1266175 comm="target/debug/fprint-test "
label="kernel") interface="net.reactivated.Fprint.Manager"
member="GetDefaultDevice" error name="(unset)" requested_reply="0"
destination=":1.5384" (uid=1000 pid=1266175 comm="target/debug/fprint-test "
label="kernel")";
};
Looked at the discussion when fprint-verify runs (since it works as
expected) and saw that it first tried to request the name (after
manually activating the service. When I reproduce this myself, I get
again a permission error.
‣ Type=method_call Endian=l Flags=0 Version=1 Cookie=3 Timestamp="Sun
2022-04-03 23:50:14.614935 UTC"
Sender=:1.5238 Destination=org.freedesktop.DBus Path=/org/freedesktp/DBus
Interface=org.freedesktop.DBus Member=RequestName
UniqueName=:1.5238
MESSAGE "su" {
STRING "net.reactivated.Fprint";
UINT32 0;
};
‣ Type=error Endian=l Flags=1 Version=1 Cookie=4 ReplyCookie=3
Timestamp="Sun 2022-04-03 23:50:14.614999 UTC"
Sender=org.freedesktop.DBus Destination=:1.5238
ErrorName=org.freedesktop.DBus.Error.AccessDenied ErrorMessage="Connection
":1.5238" is not allowed to own the service "net.reactivated.Fprint" due to
security policies in the configuration file"
MESSAGE "s" {
STRING "Connection ":1.5238" is not allowed to own the service
"net.reactivated.Fprint" due to security policies in the configuration file";
};
I'm a complete noob with dbus, so I don't know what configuration file
policy is denying access. By looking at the configuration under
share/dbus-1/system.d/net.reactivated.Fprint.conf it should allow me to
talk to the bus:
<!-- Anyone can talk to the service -->
<policy context="default">
<allow send_destination="net.reactivated.Fprint"
send_interface="net.reactivated.Fprint.Manager"/>
<allow send_destination="net.reactivated.Fprint"
send_interface="net.reactivated.Fprint.Device"/>
Could you give me any hints on what I may be missing?
The source is available here:
https://gitlab.com/roosemberth/ssh-fprintd-askpass/-/blob/master/src/fprint.rs
I'm running NixOS 22.05 (Quokka) x86_64 on Sway, in case that's relevant.
pkgs.fprintd is installed in the system environment packages.
Thanks, cheers!
Roosembert Palacios
signature.asc
Description: signature
