From 37ce3d61c955b9dfcd12a06265044ef1b21a9dbf Mon Sep 17 00:00:00 2001 From: boltgolt Date: Tue, 13 Mar 2018 21:17:49 +0100 Subject: [PATCH] Fixed installer permissions and cli location, ignoring remote sessions --- config.ini | 5 +++++ installer.py | 9 +++++++-- pam.py | 14 ++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/config.ini b/config.ini index 8e92636..3076f96 100644 --- a/config.ini +++ b/config.ini @@ -6,6 +6,11 @@ no_confirmation = false # show an error but fail silently suppress_unknown = false +# Auto dismiss lock screen on confirmation +# Will run loginctl unlock-sessions after every auth +# Expirimental, can behave incorrectly on some systems +dismiss_lockscreen = false + [video] # The certainty of the detected face belonging to the user of the account # On a scale from 1 to 10, values above 5 are not recommended diff --git a/installer.py b/installer.py index 5b4374c..5ec2fd1 100644 --- a/installer.py +++ b/installer.py @@ -141,9 +141,14 @@ for line in fileinput.input(["/lib/security/howdy/config.ini"], inplace = 1): # Secure the howdy folder handleStatus(subprocess.call(["chmod 600 -R /lib/security/howdy/"], shell=True)) +# Allow anyone to execute the python CLI +handleStatus(subprocess.call(["chmod 755 /lib/security/howdy"], shell=True)) +handleStatus(subprocess.call(["chmod 744 /lib/security/howdy/cli.py"], shell=True)) +handleStatus(subprocess.call(["chmod 744 -R /lib/security/howdy/cli"], shell=True)) + # Make the CLI executable as howdy -handleStatus(subprocess.call(["ln -s /lib/security/howdy/cli.py /usr/bin/howdy"], shell=True)) -handleStatus(subprocess.call(["chmod +x /usr/bin/howdy"], shell=True)) +handleStatus(subprocess.call(["ln -s /lib/security/howdy/cli.py /usr/local/bin/howdy"], shell=True)) +handleStatus(subprocess.call(["chmod +x /usr/local/bin/howdy"], shell=True)) # Install the command autocomplete, don't error on failure subprocess.call(["sudo cp /lib/security/howdy/autocomplete.sh /etc/bash_completion.d/howdy"], shell=True) diff --git a/pam.py b/pam.py index bd6cf06..27977ab 100644 --- a/pam.py +++ b/pam.py @@ -4,6 +4,8 @@ import subprocess import sys import os +import threading +import time # pam-python is running python 2, so we use the old module here import ConfigParser @@ -15,6 +17,11 @@ config.read(os.path.dirname(os.path.abspath(__file__)) + "/config.ini") def doAuth(pamh): """Start authentication in a seperate process""" + # Abort if the session is remote + if pamh.rhost is not None or "SSH_CONNECTION" in os.environ: + pamh.conversation(pamh.Message(pamh.PAM_TEXT_INFO, "Skipping face recognition for remote session")) + return pamh.PAM_AUTH_ERR + # Run compare as python3 subprocess to circumvent python version and import issues status = subprocess.call(["python3", os.path.dirname(os.path.abspath(__file__)) + "/compare.py", pamh.get_user()]) @@ -29,8 +36,15 @@ def doAuth(pamh): return pamh.PAM_AUTH_ERR # Status 0 is a successful exit if status == 0: + # Show the success message if it isn't suppressed if config.get("core", "no_confirmation") != "true": pamh.conversation(pamh.Message(pamh.PAM_TEXT_INFO, "Identified face as " + pamh.get_user())) + + # Try to dismiss the lock screen if enabled + if config.get("core", "dismiss_lockscreen") == "true": + # Run it as root with a timeout of 1s, and never ask for a password through the UI + subprocess.Popen(["sudo", "timeout", "1", "loginctl", "unlock-sessions", "--no-ask-password"]) + return pamh.PAM_SUCCESS # Otherwise, we can't discribe what happend but it wasn't successful