BlueProximity on Ubuntu 14.04 LTS

I had a desktop I was using with Windows 10, until it kept overheating (at least that’s what I can only assume the blue screens were from after using SpeedFan and some other utilities to notice my temps were way above normal).  After trying to resolve the issue by replacing the monster graphics card, reseating (and applying thermal grease) to the CPU, and making sure all the fans were operating, I gave up.  This was a hand me down workstation, although a nice one, that my brother had been using as a gaming station years ago when it was a monster.  I’m not a hardware guy anymore, and fooling with it just costs me too much time.  So, I had this trusty old Dell (also a hand me down) collecting dust and I decided to make it useful by slapping Ubuntu on it.  In about 30 minutes, viola, I have a usable station again.  Did I mention I love cloud services?  Why would I need to transfer any data when it’s in the cloud!

So I got to thinking, on Windows 7 there was a utility someone wrote that would unlock the desktop with bluetooth proximity.  I think the notion of this is genius, since I have my phone on me 95% of the time.  What’s the point of authenticating with a password when I have my phone?  Yeah, from a security perspective there are holes in this.  Someone could steal my phone, someone could spoof the bluetooth address from the phone, etc.  I acknowledge it would be more awesome to have an app on the phone that would communicate with my workstation that would present a client certificate to validate itself, and store that certificate encrypted using a password or my fingerprint.  But hey, I just want my workstation unlocked when I walk in the room right now, so when I walk away I can rest assured it is fairly secure (after all, someone will have physical access to it anyone, and that in my book is a game over without an encrypted filesystem).

So, in comes BlueProximity.  Luckily it’s an App on Ubuntu, so it was super fast to install through the Ubuntu Software Center.  Once installed, I paired my phone using the Bluetooth menu at the top of the Ubuntu GNOME.  Once that was done, I launched BlueProximity, selected my phone (I had to make my phone visible again for that to work), and then setup the distances.  To my excitement, it locked the screen as I walked away.  To my disappointment, the screen did not unlock.  Apparently the default command that BlueProximity uses is the gnome-screensaver-command, which works great with -l to lock, but not so great for -d to unlock.  Also, the -p option for the proximity command doesn’t even exist anymore.

So, I start googling around, and find that loginctl can lock and unlock sessions.  Great, except that it needs to run with elevated rights to do so.  I don’t want the hundreds of users on my workstation locking each other’s sessions at random now do I?  In comes some sudoers magic.  I created two scripts, one for unlocking and one for locking.  Here are the commands for both:

/usr/share/blueproximity/unlockScreen.sh

#!/bin/bash
session=$(loginctl show-user $SUDO_USER | sed -n '/Display/ s/Display=//p')
loginctl unlock-session $session

/usr/share/blueproximity/lockScreen.sh

#!/bin/bash
session=$(loginctl show-user $SUDO_USER | sed -n '/Display/ s/Display=//p')
loginctl lock-session $session

Setup some good permissions on those scripts (root.root, 0755) and we’re good to go.  Now, to allow the files to be run as sudo without a password, by anyone, we simply create the file /etc/sudoers.d/blueproximity with the following content:

# Allow users to lock and unlock their screens by running these scripts as sudo
ALL ALL=NOPASSWD: /usr/share/blueproximity/lockScreen.sh
ALL ALL=NOPASSWD: /usr/share/blueproximity/unlockScreen.sh

So, if we want to test, we can go ahead and run:

sudo /usr/share/blueproximity/lockScreen.sh ; sleep 10; sudo /usr/share/blueproximity/unlockScreen.sh

That will lock the screen, wait 10 seconds, and then unlock it.  So now, we just edit the BlueProximity file in your home directory ~/.blueproximity/standard.conf and update the following 3 lines:

lock_command = sudo /usr/share/blueproximity/lockScreen.sh
unlock_command = sudo /usr/share/blueproximity/unlockScreen.sh
proximity_command = sudo /usr/share/blueproximity/unlockScreen.sh

And now we relaunch BlueProximity and we’re good to go.  One thing I don’t understand about BlueProximity is that once you launch it the first time, you won’t get the GUI again unless you remove your standard.conf file.  So if you want to see the GUI again, you’ve got to revert back to your default settings.  The other thing is there doesn’t appear to be a nice way of killing it other than using ps to find it and kill to kill it.  However, for what it does, you can’t beat it.  Aside, it does all this using Python, even the initial GUI display for setting it up.  Amazing!

So there you go, now BlueProximity works, the scripts are secure, and you don’t have to worry about leaving your workstation unlocked or fiddle putting passwords in when you walk back in the room.  One thing I love about having a Unix workstation is that the possibilities are almost endless on what you can do.  In my opinion, Linux desktops are not quite there yet for the average PC user to ditch Windows, but they are darn near close and at this point are probably eating into quite a bit of Microsoft’s profits.  But, that’s a post for another day.