profiles: fprint: Fix fingerprint sudo integration

[ptr1337]

sudo does not accept dropin files and therefore the fingerprint sudo auth did not work. Sed the normal pam.

[Copilot]

Pull request overview

Fixes fingerprint authentication for sudo by switching from an unsupported PAM drop-in approach to editing /etc/pam.d/sudo directly.

Changes:

• Replace creation of /etc/pam.d/sudo.d/50-fprintd.conf with a sed insertion into /etc/pam.d/sudo.
• Update removal logic to delete the inserted # chwd-fprintd line from /etc/pam.d/sudo.
• Keep enabling/disabling of fprintd.service as part of install/remove hooks.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This update stops managing /etc/pam.d/sudo.d/50-fprintd.conf, but systems that previously installed this profile may still have the legacy drop-in file and directory left behind. Consider cleaning up the old managed file (e.g., if it contains the historical chwd marker) during install/upgrade or in post_remove so the profile doesn’t leave stale, confusing configuration artifacts.

[ptr1337]

Nah

[Copilot]

The guard only checks for the marker string (chwd-fprintd). If a user/system already has an auth ... pam_fprintd.so line (without this marker), this will insert a second pam_fprintd entry, which can lead to multiple fingerprint prompts and a confusing PAM stack. Consider also checking for an existing pam_fprintd.so auth line (or otherwise detecting an existing fprint configuration) before inserting.

Suggested change

	if [ -f /etc/pam.d/sudo ] && ! grep -q 'chwd-fprintd' /etc/pam.d/sudo; then
	if [ -f /etc/pam.d/sudo ] \
	&& ! grep -q 'chwd-fprintd' /etc/pam.d/sudo \
	&& ! grep -Eq '^[[:space:]]*auth([[:space:]]+[^#[:space:]]+)*[[:space:]]+pam_fprintd\.so([[:space:]]|$)' /etc/pam.d/sudo; then

[vnepogodin]

fair. hope auth won't get broken someday