Ubuntu
libpam-blue package

Bug #912695
Comment #6

Comment 6 for bug 912695

Revision history for this message

Ross Boswell (drb-x) wrote on 2013-06-04: Re: [Bug 912695] Re: libpam_blue requires root, fails if non-privileged

Dear Craig

As you'll see from the bug report, I found it easier to replace l2ping with hcitool. That worked for me, and I moved on.

Kind regards -- Ross

On 4/06/2013, at 11:36, Craig McQueen <email address hidden> wrote:

> Is pam_blue maintained? It's looking a bit dead at the moment. How can
> we contribute patches "upstream" or to continue development in
> Debian/Ubuntu? According to the Ubuntu package, the web site is
> http://pam.0xdef.net/ but that is not responding, at least not at the
> moment.
>
> Would it be possible to patch l2ping to work if a non-root user is a
> member of e.g. "bluetooth" group? From strace, it seems the problem is
> with a call to "socket(PF_BLUETOOTH, SOCK_RAW, 0)", and raw sockets
> normally need root user or capability CAP_NET_RAW.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/912695
>
> Title:
> libpam_blue requires root, fails if non-privileged
>
> Status in “libpam-blue” package in Ubuntu:
> Confirmed
>
> Bug description:
> I modified /etc/pam.d/common-auth to allow two-factor authentication
> using password and either bluetooth proximity or, if that fails,
> google-authenticator:
>
> . . .
> # here are the per-package modules (the "Primary" block)
> auth [success=1 default=ignore] pam_unix.so nullok_secure
> # here's the fallback if no module succeeds
> auth requisite pam_deny.so
> #
> auth [success=1 default=ignore] pam_blue.so
> auth required pam_google_authenticator.so
> #
> # prime the stack . . .
>
> This works fine for login, but bluetooth authentication always fails when unlocking gnome-screensaver with the error message:
> Bluetooth scan failure [bluetooth device up?]
>
> The reason seems to be that pam_blue is based on l2cap which requires
> root authority to create sockets (l2ping runs as root but fails for a
> non-privileged user).
>
> An alternative method of detecting bluetooth proximity is to use hcitool:
> hcitool name xx:xx:xx:xx:xx:xx
> returns the name of the device whose MAC is given, or nothing on fail, and it works for a non-privileged user.
>
> Replacing pam_blue with a simple hacked version using hcitool works for both login and gnome-screensaver unlock:
>
> int rc = PAM_SESSION_ERR;
> FILE *fpipe;
> char *command="hcitool name xx:xx:xx:xx:xx:xx";
> char line[256];
>
> if ( !(fpipe = (FILE*)popen(command,"r")) ) {
> perror("Problems with pipe");
> exit(1);
> }
> while ( fgets( line, sizeof line, fpipe)) {
> if (strlen(line) > 2) rc = PAM_SUCCESS;
> }
> pclose(fpipe);
> return rc;
>
> This bug probably affects all versions to date, but has been confirmed
> in Ubuntu 11.04 and 11.10, and in libpam-blue 0.9.0-3
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/libpam-blue/+bug/912695/+subscriptions

Dear Craig

As you'll see from the bug report, I found it easier to replace l2ping with hcitool. That worked for me, and I moved on.

Kind regards -- Ross

On 4/06/2013, at 11:36, Craig McQueen <912695@bugs.launchpad.net> wrote:

> Is pam_blue maintained? It's looking a bit dead at the moment. How can
> we contribute patches "upstream" or to continue development in
> Debian/Ubuntu? According to the Ubuntu package, the web site is
> http://pam.0xdef.net/ but that is not responding, at least not at the
> moment.
> 
> Would it be possible to patch l2ping to work if a non-root user is a
> member of e.g. "bluetooth" group? From strace, it seems the problem is
> with a call to "socket(PF_BLUETOOTH, SOCK_RAW, 0)", and raw sockets
> normally need root user or capability CAP_NET_RAW.
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/912695
> 
> Title:
>  libpam_blue requires root, fails if non-privileged
> 
> Status in “libpam-blue” package in Ubuntu:
>  Confirmed
> 
> Bug description:
>  I modified /etc/pam.d/common-auth to allow two-factor authentication
>  using password and either bluetooth proximity or, if that fails,
>  google-authenticator:
> 
>  . . .
>  # here are the per-package modules (the "Primary" block)
>  auth    [success=1 default=ignore]    pam_unix.so nullok_secure
>  # here's the fallback if no module succeeds
>  auth    requisite            pam_deny.so
>  #
>  auth    [success=1 default=ignore]    pam_blue.so
>  auth    required            pam_google_authenticator.so
>  #
>  # prime the stack . . .
> 
>  This works fine for login, but bluetooth authentication always fails when unlocking gnome-screensaver with the error message:
>  Bluetooth scan failure [bluetooth device up?]
> 
>  The reason seems to be that pam_blue is based on l2cap which requires
>  root authority to create sockets (l2ping runs as root but fails for a
>  non-privileged user).
> 
>  An alternative method of detecting bluetooth proximity is to use hcitool:
>  hcitool name xx:xx:xx:xx:xx:xx
>  returns the name of the device whose MAC is given, or nothing on fail, and it works for a non-privileged user.
> 
>  Replacing pam_blue with a simple hacked version using hcitool works for both login and gnome-screensaver unlock:
> 
>    int rc = PAM_SESSION_ERR;
>    FILE *fpipe;
>    char *command="hcitool name xx:xx:xx:xx:xx:xx";
>    char line[256];
> 
>    if ( !(fpipe = (FILE*)popen(command,"r")) ) {
>       perror("Problems with pipe");
>       exit(1);
>    }
>    while ( fgets( line, sizeof line, fpipe))  {
>      if (strlen(line) > 2) rc = PAM_SUCCESS;
>    }
>    pclose(fpipe);
>    return rc;
> 
>  This bug probably affects all versions to date, but has been confirmed
>  in Ubuntu 11.04 and 11.10, and in  libpam-blue 0.9.0-3
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/libpam-blue/+bug/912695/+subscriptions

Ubuntulibpam-blue package

Comment 6 for bug 912695

Ubuntu
libpam-blue package