Distribution
Mint zena 22.3
Package version
6.6.1
Graphics hardware in use
Intel i915 (integrated GPU)
Frequency
Quite often
Bug description
Every unlock attempt triggers a flood of sys.excepthook errors in the
journal, causing Cinnamon to restart and the desktop to briefly flicker.
The issue is caused by an interaction between pam_fingwit and pam_fprintd
in common-auth. During screensaver unlock, the user already has an active
desktop session, so pam_fingwit correctly returns PAM_IGNORE. However,
pam_fprintd is still called afterward and attempts to claim the Goodix
fingerprint device, which triggers an unhandled Python exception inside
cinnamon-screensaver.
Relevant journal output:
org.cinnamon.ScreenSaver: Error in sys.excepthook:
org.cinnamon.ScreenSaver: Original exception was:
fprintd: Authorization denied to call method 'Claim': Device was already claimed
Versions involved:
- libpam-fingwit 1.0.8+zena
- fprintd 1.94.3-1
- Fingerprint sensor: Goodix MOC Fingerprint Sensor (press)
Steps to reproduce
- Have a Goodix fingerprint sensor with enrolled fingerprints
(fprintd-list $USER confirms enrollment)
- Lock the screen with Super+L or via suspend
- Attempt to unlock (with fingerprint or password)
- Run: journalctl -b | grep -i "screensaver|fprintd"
- Observe repeated "Error in sys.excepthook" and
"Device was already claimed" errors
Expected behavior
The screensaver should unlock cleanly without any Python exceptions,
whether authenticating via fingerprint or password. Cinnamon should
not need to restart after unlocking.
Additional information
Root cause: in pam_fingwit.py, user_has_session() returns True during
screensaver unlock (user already has an active desktop session with a
seat ID). pam_fingwit returns PAM_IGNORE, but pam_fprintd is still
invoked and tries to claim the device, causing the crash.
Workaround: override /etc/pam.d/cinnamon-screensaver to bypass
pam_fingwit and call pam_fprintd directly:
auth sufficient pam_fprintd.so max-tries=1 timeout=15
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
auth optional pam_gnome_keyring.so
Suggested fix: when user_has_session() returns True, pam_fingwit should
return PAM_AUTHINFO_UNAVAIL instead of PAM_IGNORE to prevent pam_fprintd
from being called, OR a dedicated PAM config for cinnamon-screensaver
should be shipped that handles this case correctly.
Distribution
Mint zena 22.3
Package version
6.6.1
Graphics hardware in use
Intel i915 (integrated GPU)
Frequency
Quite often
Bug description
Every unlock attempt triggers a flood of sys.excepthook errors in the
journal, causing Cinnamon to restart and the desktop to briefly flicker.
The issue is caused by an interaction between pam_fingwit and pam_fprintd
in common-auth. During screensaver unlock, the user already has an active
desktop session, so pam_fingwit correctly returns PAM_IGNORE. However,
pam_fprintd is still called afterward and attempts to claim the Goodix
fingerprint device, which triggers an unhandled Python exception inside
cinnamon-screensaver.
Relevant journal output:
org.cinnamon.ScreenSaver: Error in sys.excepthook:
org.cinnamon.ScreenSaver: Original exception was:
fprintd: Authorization denied to call method 'Claim': Device was already claimed
Versions involved:
Steps to reproduce
(fprintd-list $USER confirms enrollment)
"Device was already claimed" errors
Expected behavior
The screensaver should unlock cleanly without any Python exceptions,
whether authenticating via fingerprint or password. Cinnamon should
not need to restart after unlocking.
Additional information
Root cause: in pam_fingwit.py, user_has_session() returns True during
screensaver unlock (user already has an active desktop session with a
seat ID). pam_fingwit returns PAM_IGNORE, but pam_fprintd is still
invoked and tries to claim the device, causing the crash.
Workaround: override /etc/pam.d/cinnamon-screensaver to bypass
pam_fingwit and call pam_fprintd directly:
auth sufficient pam_fprintd.so max-tries=1 timeout=15
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
auth optional pam_gnome_keyring.so
Suggested fix: when user_has_session() returns True, pam_fingwit should
return PAM_AUTHINFO_UNAVAIL instead of PAM_IGNORE to prevent pam_fprintd
from being called, OR a dedicated PAM config for cinnamon-screensaver
should be shipped that handles this case correctly.