0

I have a Thinkpad T440 on Ubuntu 14.04. I use fingerprint-gui to allow me to login and use sudo by swiping a fingerprint. The worrying part is that anyone can run the fingerprint-gui program to reprogram the fingerprints -- so, anyone can get into my computer, given a few minutes! This seems like a gaping security hole. How can I patch this?

Adam Selker
  • 149
  • 1
  • 4
  • 11
  • You need to make it so the program can only be run with sudo. – Tim Jun 24 '14 at 18:38
  • http://askubuntu.com/questions/8149/how-can-i-restrict-program-access-to-other-users – Tim Jun 24 '14 at 18:40
  • I tried changing the mode so that only root could run it, but it forgot my fingerprints, and I suspect that if I were to add new fingerprints they wouldn't work. The upshot is that I want to run the program as myself, but I want it to require a password. – Adam Selker Jun 24 '14 at 18:54
  • Ahh, so running as root is bad... Could you lock the file in which it is saved? (i.e. the config files)? – Tim Jun 24 '14 at 19:00
  • How does this "anyone" log into your computer without your password or your finger? Does this "anyone" have an user account in your computer? Have you allowed "anyone" read and write access to your home folder (when anyone is logged in as anyone or someone-else)? – user68186 Jun 24 '14 at 19:05
  • This "Anyone" saw me leave my computer logged in when I went to get a cup of water. – Adam Selker Jun 24 '14 at 19:08
  • Tim: I'm not sure how I would be able to use it then -- would I have to manually unlock the files every time I edit a fingerprint? – Adam Selker Jun 24 '14 at 19:12
  • How does someone log into your computer without knowing your password? If your password is compromised, that is a different story. I am sure you didn't leave your fingers behind when you went to get a cup of water. Remember to lock your computer whenever you leave it. Forgetting to lock your computer is the real security hole. – user68186 Jun 25 '14 at 15:51

1 Answers1

0

It is possible for someone to reprogram a user's fingerprints provided they have already been authenticated as that user. However, the developers of the program do not consider this an issue under their current security model.

You can see this forum post for an explanation of their choice:

http://home.ullrich-online.cc/fingerprint/Forum/topic.php?TopicId=324#1063

user3081164
  • 1