Saturday, October 31, 2020

Disable fingerprint scanner when laptop lid is closed

Since Fedora 32, I was able to enable login and sudo with fingerprints in Gnome settings. However, when my laptop is docked and the lid closed, sudo still prompts from my fingerprints. I have to wait for a few seconds for the fingerprint reader to time out before I can input my password.

I would like to change sudo to skip fingerprint authentication when the laptop lid is closed. I came up with two options,

  1. Enable the fingerprint reader when I open the lid and disable it when I close the lid.
  2. Change PAM config to check for lid status and skip pam_fprintd.so when the lid is closed.

For either options to work, they need to know the lid status. On my ThinkPad X1 7th gen laptop, /proc/acpi/button/lid/LID/state has the lid status. I think the second option is better. But I did not figure out how to tell PAM to skip pam_fprintd.so conditionally. So I implemented the first solution.

On Linux, you can enable/disable an USB device by setting the authorized bit in sysfs.

I also found a acpid program that monitors ACPI events and runs scripts when certain events happen. I installed it and create these two files.

/etc/acpi/events/lid

event=button/lid.*
action=/etc/acpi/actions/lid.sh 

/etc/acpi/actions/lid.sh

#!/usr/bin/sh
 
PATH=/usr/sbin:/usr/bin
 
grep -q close /proc/acpi/button/lid/LID/state
if [ $? = 0 ]; then
    echo 0 > /sys/bus/usb/devices/1-9:1.0/authorized
fi
 
grep -q open /proc/acpi/button/lid/LID/state
if [ $? = 0 ]; then
    echo 1 > /sys/bus/usb/devices/1-9:1.0/authorized
fi
 
exit 0

So every time the lid status changes, acpid will run lid.sh and it will check the lid status and the disable/enable the fingerprint reader. To prevent acpid conflicting with Gnome, I removed all other files in /etc/acpi/events.



4 comments:

  1. Hi, I have the same setup, so thank you for this post. but I want to ask how do you find which entry in the "/sys/bus/usb/devices/*" that's being used by the fingerprint reader?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. # lsusb|grep Finger
      Bus 001 Device 003: ID 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader

      # grep 06cb /sys/bus/usb/devices/*/idVendor
      /sys/bus/usb/devices/1-9/idVendor:06cb

      Delete
  2. #!/bin/bash

    export PATH="/usr/bin"

    if grep -q close /proc/acpi/button/lid/LID0/state; then
    sed -i 's/^\(.*pam_fprintd.so.*\)$/#\1/' /etc/pam.d/common-auth
    else
    sed -i 's/^#\(.*pam_fprintd.so.*\)$/\1/' /etc/pam.d/common-auth
    fi

    exit 0

    ReplyDelete