Saturday, October 31, 2020

Disable fingerprint scanner when laptop lid is closed

Since Fedora 32, I was able to enable login and sudo with fingerprints in Gnome settings. However, when my laptop is docked and the lid closed, sudo still prompts from my fingerprints. I have to wait for a few seconds for the fingerprint reader to time out before I can input my password.

I would like to change sudo to skip fingerprint authentication when the laptop lid is closed. I came up with two options,

  1. Enable the fingerprint reader when I open the lid and disable it when I close the lid.
  2. Change PAM config to check for lid status and skip when the lid is closed.

For either options to work, they need to know the lid status. On my ThinkPad X1 7th gen laptop, /proc/acpi/button/lid/LID/state has the lid status. I think the second option is better. But I did not figure out how to tell PAM to skip conditionally. So I implemented the first solution.

On Linux, you can enable/disable an USB device by setting the authorized bit in sysfs.

I also found a acpid program that monitors ACPI events and runs scripts when certain events happen. I installed it and create these two files.




grep -q close /proc/acpi/button/lid/LID/state
if [ $? = 0 ]; then
    echo 0 > /sys/bus/usb/devices/1-9:1.0/authorized
grep -q open /proc/acpi/button/lid/LID/state
if [ $? = 0 ]; then
    echo 1 > /sys/bus/usb/devices/1-9:1.0/authorized
exit 0

So every time the lid status changes, acpid will run and it will check the lid status and the disable/enable the fingerprint reader. To prevent acpid conflicting with Gnome, I removed all other files in /etc/acpi/events.


  1. Hi, I have the same setup, so thank you for this post. but I want to ask how do you find which entry in the "/sys/bus/usb/devices/*" that's being used by the fingerprint reader?

    1. This comment has been removed by the author.

    2. # lsusb|grep Finger
      Bus 001 Device 003: ID 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader

      # grep 06cb /sys/bus/usb/devices/*/idVendor

  2. #!/bin/bash

    export PATH="/usr/bin"

    if grep -q close /proc/acpi/button/lid/LID0/state; then
    sed -i 's/^\(.**\)$/#\1/' /etc/pam.d/common-auth
    sed -i 's/^#\(.**\)$/\1/' /etc/pam.d/common-auth

    exit 0