Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't block non-promt conversations services while another service is promting #2

Closed
skruppy opened this issue Mar 17, 2024 · 2 comments · Fixed by #6
Closed

Don't block non-promt conversations services while another service is promting #2

skruppy opened this issue Mar 17, 2024 · 2 comments · Fixed by #6
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@skruppy
Copy link

skruppy commented Mar 17, 2024

Test setup

In order to authenticate to su suing password OR fingerprint I used the following setup.
Relevant contents of /etc/pam.d/su:

[...]
auth            required        pam_any.so {"any-fingerprint": "Fingerprint", "any-password": "Password"}
[...]

Content of /etc/pam.d/any-fingerprint:

auth            required        pam_fprintd.so
account         required        pam_permit.so

Content of /etc/pam.d/any-password:

auth            required        pam_unix.so
account         required        pam_permit.so

Problem description

When trying to authenticate using a fingerprint, the authentication does not succeed until a (invalid/empty) password is provided as shown here:

$ pamtester su skruppy authenticate
[Password] Password: 
[Fingerprint] Place your right index finger on the fingerprint reader
pamtester: successfully authenticated

Cause of the issue

This is caused by pam_unix always being faster asking for a password than pam_fprintd wanting to print some informational notices.
Due to the mutex placed on the upstream conversation, the progress of pam_fprintd is halted at the output request of the info message until an user input has been provided to pam_unix.
Hence the pam_fprintd module never returns any result before pam_unix.

Possible solutions

Reply non-promt requests from queue

For non promt_* calls like info() or error() add them to a queue during an ongoing promt-call and reply them once the promt is done.

Combine non-promt requests

For non promt_* calls like info() or error() collect the messages in a single concatenated message during an ongoing promt-call. Send this concatenated message once the promt-call has finished.

This has the advantage that GUIs which might only show a single message at a time do not only show the last queued message, but all of them.
@ChocolateLoverRaj
Copy link
Owner

I think the key part of both possible solutions is adding to a queue instead of blocking. Maybe there can be an option to combine non-prompt requests.

@ChocolateLoverRaj ChocolateLoverRaj added bug Something isn't working help wanted Extra attention is needed labels Mar 17, 2024
@ChocolateLoverRaj
Copy link
Owner

The simplest (but may not be best) solution I can think of is to create a new thread which acquires a mutex lock and sends info messages instead of directly acquiring a mutex lock.

@ChocolateLoverRaj ChocolateLoverRaj mentioned this issue Mar 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Send info and error messages in a different thread that doesn't block… ChocolateLoverRaj/pam-any
2 participants
@skruppy @ChocolateLoverRaj