Package: frpintd Version: 0.4.1-5-g73edad0-3
fprintd-enroll records fingerprints an enables fingerprint authentification without asking for a password for users. This creates a security issue, as shown in the following example: in an open session of a computer with a fingerprint reader, with fprintd and sudo installed and with the current user member of sudoers, do: $ fprintd-enroll record your fingerprint, then: $ sudo su - enter your fingerprint # you are now root without having typed a single password. I believe the correct behavior for fprintd-enroll should be to ask for the user password before recording the fingerprint, like for password changes. I am using debian stable (wheezy) with backports enabled on amd64 (Linux mobilis 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
