hyprlock icon indicating copy to clipboard operation
hyprlock copied to clipboard
verified publisher icon hyprwm

fprint failed to claim device error

Open Rehpotsirhc-z opened this issue 7 months ago • 4 comments

Regression?

No

Hyprlock Info and Version

Hyprlock version v0.8.2

Hyprlock config 
# sample hyprlock.conf
# for more configuration options, refer https://wiki.hyprland.org/Hypr-Ecosystem/hyprlock
#
# rendered text in all widgets supports pango markup (e.g. <b> or <i> tags)
# ref. https://wiki.hyprland.org/Hypr-Ecosystem/hyprlock/#general-remarks
#
# shortcuts to clear password buffer: ESC, Ctrl+U, Ctrl+Backspace

# $font = Monospace

general {
    hide_cursor = true
}

# uncomment to enable fingerprint authentication
# TODO where does this message display?
auth {
    fingerprint {
        enabled = true
        ready_message = Scan fingerprint to unlock
        present_message = Scanning...
        retry_delay = 250 # in milliseconds
    }
}

animations {
    enabled = true
    bezier = linear, 1, 1, 0, 0
    animation = fadeIn, 1, 5, linear
    animation = fadeOut, 1, 5, linear
    animation = inputFieldDots, 1, 1, linear
}

background {
    monitor =

    path = OMITTED
    color = rgba(25, 20, 20, 1.0)
    blur_passes = 0
}

input-field {
    monitor =
    size = 20%, 5%
    outline_thickness = 3
    outer_color = rgb(21, 21, 21)
    inner_color = rgb(245, 245, 245)
    check_color = rgb(204, 136, 34)
    fail_color = rgb(204, 34 ,34)

    # outer_color = rgba(33ccffee) rgba(00ff99ee) 45deg
    # check_color = rgba(00ff99ee) rgba(ff6633ee) 120deg
    # fail_color = rgba(ff6633ee) rgba(ff0066ee) 40deg

    font_color = rgb(10, 10, 10)
    fade_on_empty = true
    rounding = -1

    font_family = Noto Sans
    placeholder_text = <span foreground='##696969'><i>Input Password...</i></span>

    fail_text = $PAMFAIL

    # uncomment to use a letter instead of a dot to indicate the typed password
    # dots_text_format = *
    # dots_size = 0.4
    dots_spacing = 0.3

    # uncomment to use an input indicator that does not show the password length (similar to swaylock's input indicator)
    # hide_input = true

    position = 0, 0
    halign = center
    valign = center
}

# TIME
label {
    monitor =
    text = cmd[update:1000] date +'%-I:%M'
    font_size = 100
    font_family = Noto Sans Bold

    position = 0, 325
    halign = center
    valign = center
}

# DATE
label {
    monitor =
    text = cmd[update:1000] date +"%A, %B %-d"
    font_size = 19
    font_family = Noto Sans SemiBold

    position = 0, 225
    halign = center
    valign = center
}

Compositor Info and Version

System/Version info 
Hyprland 0.48.1 built from branch  at commit 29e2e59fdbab8ed2cc23a20e3c6043d5decb5cdc  (version: bump to v0.48.1).
Date: Fri Mar 28 16:16:07 2025
Tag: v0.48.1, commits: 5937
built against:
 aquamarine 0.8.0
 hyprlang 0.6.1
 hyprutils 0.7.0
 hyprcursor 0.1.12
 hyprgraphics 0.1.3


no flags were set


System Information:
System name: Linux
Node name: Beelzebub
Release: 6.14.5-arch1-1
Version: #1 SMP PREEMPT_DYNAMIC Sat, 03 May 2025 13:34:12 +0000


GPU information: 
00:02.0 VGA compatible controller [0300]: Intel Corporation TigerLake-LP GT2 [Iris Xe Graphics] [8086:9a49] (rev 01) (prog-if 00 [VGA controller])


os-release: NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://gitlab.archlinux.org/groups/archlinux/-/issues"
PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/"
LOGO=archlinux-logo


plugins:

Description

Fingerprint unlock breaks unexpectedly. The problem can be seen when I run it in the terminal. The first time I unlock with the fingerprint, it exits correctly. When I launch it again and enter the password, it hangs there without exiting:

[WARN] fprint: could not release device, [org.freedesktop.DBus.Error.Timeout] Connection timed out

I'm going to experiment a little to see what happens if I use the fingerprint both times, or the password the first time, but I'll create this issue first before I reboot.

Before rebooting and after the previous warning, I ran hyprlock again and got these two warnings:

[WARN] fprint: could not claim device, [net.reactivated.Fprint.Error.Internal] Open failed with error: Device 06cb:00fc is already open

[WARN] fprint: could not release device, [net.reactivated.Fprint.Error.ClaimDevice] Device was not claimed before use

Running fprintd-verify gives a similar error:

Using device /net/reactivated/Fprint/Device/16
failed to claim device: GDBus.Error:net.reactivated.Fprint.Error.Internal: Open failed with error: Device 06cb:00fc is already open

The problem is fixed upon reboot.

How to reproduce

Enable fingerprint using the section in the example configuration. Launch hyprlock, and use your fingerprint to unlock. Then launch it again and use your password to unlock. It should break the second time.

Crash reports, logs, images, videos

No response

Rehpotsirhc-z avatar May 08 '25 14:05 Rehpotsirhc-z

After further testing, it appears that if I use the password to unlock every time, it works. If I use the fingerprint to unlock every time, it works as well. The problem seems to occur when I use the fingerprint first, and then the password.

Rehpotsirhc-z avatar May 08 '25 14:05 Rehpotsirhc-z

I have a workaround for this.

Root cause:

  • hyprlock has its own fingerprint auth mechanism which bypasses PAM (see #258 and #514).
  • When entering a password in hyprlock, PAM is triggered. It defaults to using the the configuration in /etc/pam.d/su if no /etc/pam.d/hyprlock exists. This causes PAM to claim the fingerprint reader. This exclusive claim means that hyprlock itself is unable to claim the fingerprint reader at the same time.

Workaround

  • create /etc/pam.d/hyprlock and ensure that fprintd is not allowed, e.g.:
auth     required       pam_env.so
auth     sufficient     pam_unix.so nullok
auth     required       pam_deny.so

account  required       pam_unix.so
password required       pam_unix.so
session  required       pam_unix.so

This prevents the conflict over the device claim.

This issue still feels like a bug to me though. I'm unsure if this exclusive claim thing is an issue with other fingerprint readers, but for reference, mine is a Dell Latitude 7430 using libfprint-2-tod1-broadcom with device:

0a5c:5843 Broadcom Corp. BCM58200 ControlVault 3 (FingerPrint sensor + Contacted SmartCard)

coldiron avatar Jul 27 '25 04:07 coldiron

Thanks @coldiron for figuring this out.

To me this seems like a configuration issue. I don't think we can prevent that our process is trying to claim the device twice, because of pam and fingerprint being enabled.

Although, maybe. We could move pam auth into a separate process altogether. This would introduce a bit of overhead, but lots of applications do that. That would also also prevents problems caused by misbehaving pam modules. I will think about it.

PointerDilemma avatar Jul 29 '25 13:07 PointerDilemma

I followed the workaround steps provided by @coldiron. However, I'm now getting slightly different errors that can be triggered the same way (Now I'm running v0.9.1):

[WARN] fprint: could not claim device, [net.reactivated.Fprint.Error.AlreadyInUse] Device was already claimed
[WARN] fprint: could not stop verifying, [net.reactivated.Fprint.Error.AlreadyInUse] Device already in use by another user
[WARN] fprint: could not start verifying, [net.reactivated.Fprint.Error.AlreadyInUse] Device already in use by another user
[WARN] fprint: could not release device, [net.reactivated.Fprint.Error.ClaimDevice] Device was not claimed before use

Running hyprlock again after that produced this error:

[WARN] fprint: couldn't connect to Fprint service ([net.reactivated.Fprint.Error.NoSuchDevice] No devices available)

Running fprintd-verify produced a similar error:

Impossible to verify: GDBus.Error:net.reactivated.Fprint.Error.NoSuchDevice: No devices available

Rehpotsirhc-z avatar Aug 17 '25 23:08 Rehpotsirhc-z