Automatic Screen Lock at Removal script

I bought a Nitrokey Pro 2 and found this article on your documentation website.

https://docs.nitrokey.com/pro/linux/automatic-screen-lock.html

My computer is running a Debian 10.10 with Gnome 3.30.2. Unfortunately the article does not work somehow for me. I did all steps gave execute rights (chmod +x) to the script and ran it as a test from the root terminal.
First of all it works, then I ran it manually from a normal terminal. Now I was prompted to enter the user password and the computer got locked. The user is not in the sudoers file or in sudo group.

Now I unplugged the Nitrokey and nothing happens. Is it a problem from Debian or does it only run on Ubuntu?

Do you have a idea?

I haven’t received an answer. Can you give it a look? Do you need more information?

1 Like

hey @DieRuebe,

generally there might be slight differences between how ubuntu & debian handle things. But you should easily be able to debug this. There are 2 components here which play together: udev and a simple script.

So 1st step would be to find out if your script gets called, if you remove your nitrokey. Just add a line like this echo "hello hello" > /tmp/mytest as the first line into your script. This will write a file /tmp/mytest if the script gets called by udev on removal of your nitrokey.

Is this working ? if yes, the problem is within your script, if not the problem is within your udev rule. I would guess udev is your problem, but as you now have a way to test this, you can check the various parts of your rule (e.g., check if the script location is correct, check if the product id matches the output of lsusb).

On top of that, did you reboot ? and or reload the udev rules, guess it was like this: udevadm control --reload-rules && udevadm trigger, because afaik the rules are not reloaded automatically.

best

Hi again,
@daringer thanks, I tried out your suggestions, but it still does not work. As you assumed it isn’t the script that does not work. I added the echo "hello hello" > /tmp/mytest to the script and it hasn’t been run.

Now I installed a fresh Debian GNU/Linux 11 (bullseye) with GNOME 3.38.5 Wayland on my NitroPad X230 - and still nothing happens.
I also tried a lot a things for example I changeg several other key values as ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4108" instead of ENV{PRODUCT}=="20a0/4108/101", ran udevadm control --reload-rules && udevadm trigger and also rebooted several times.

Here are my file permissions, content of my scripts and what udevadm monitor does when the Nitrokey is removed. For me it looks correct, but I have no idea what the OS does in the background. Maybe anyone else has an idea.

$ ls -la /etc/udev/rules.d/85-nitrokey.rules
-rwxr-xr-x 1 root root 94 Oct 14 21:18 /etc/udev/rules.d/85-nitrokey.rules

$ sudo editor /etc/udev/rules.d/85-nitrokey.rules
ACTION=="remove", ENV{PRODUCT}=="20a0/4108/101", RUN+="/usr/local/bin/gnome-screensaver-lock"

$ ls -la /usr/local/bin/gnome-screensaver-lock
-rwxr-xr-x 1 root root 237 Oct 14 21:17 /usr/local/bin/gnome-screensaver-lock

(Note: the grave accent is used around the user attribute, but not displayed here in the forum)
$ sudo editor /usr/local/bin/gnome-screensaver-lock
user=ps axo user:30,comm | egrep "gdm-(wayland|x)" | awk '{print $1}'

if [ -n $user ]; then
	su $user -c "/usr/bin/dbus-send --type=method_call --dest=org.gnome.ScreenSaver /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock"
fi`

$ lsusb
Bus 001 Device 009: ID 20a0:4108 Clay Logic Nitrokey Pro

$ udevadm monitor --property --subsystem-match=usb

UDEV  [524.256033] unbind   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0 (usb)
ACTION=unbind
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0
SUBSYSTEM=usb
DEVTYPE=usb_interface
PRODUCT=20a0/4108/101
TYPE=0/0/0
INTERFACE=3/0/0
SEQNUM=2904
USEC_INITIALIZED=469947382
ID_PATH=pci-0000:00:1a.0-usb-0:1.2:1.0
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2_1_0

UDEV  [524.256837] remove   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.1 (usb)
ACTION=remove
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.1
SUBSYSTEM=usb
DEVTYPE=usb_interface
PRODUCT=20a0/4108/101
TYPE=0/0/0
INTERFACE=11/0/0
MODALIAS=usb:v20A0p4108d0101dc00dsc00dp00ic0Bisc00ip00in01
SEQNUM=2906
USEC_INITIALIZED=469946878
ID_VENDOR_FROM_DATABASE=Clay Logic
ID_PATH=pci-0000:00:1a.0-usb-0:1.2:1.1
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2_1_1

UDEV  [524.257826] remove   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0 (usb)
ACTION=remove
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0
SUBSYSTEM=usb
DEVTYPE=usb_interface
PRODUCT=20a0/4108/101
TYPE=0/0/0
INTERFACE=3/0/0
MODALIAS=usb:v20A0p4108d0101dc00dsc00dp00ic03isc00ip00in00
SEQNUM=2905
USEC_INITIALIZED=469947382
ID_PATH=pci-0000:00:1a.0-usb-0:1.2:1.0
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2_1_0

UDEV  [524.259217] unbind   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2 (usb)
ACTION=unbind
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2
SUBSYSTEM=usb
DEVNAME=/dev/bus/usb/001/007
DEVTYPE=usb_device
PRODUCT=20a0/4108/101
TYPE=0/0/0
BUSNUM=001
DEVNUM=007
SEQNUM=2907
USEC_INITIALIZED=469940924
ID_PATH=pci-0000:00:1a.0-usb-0:1.2
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2
ID_FOR_SEAT=usb-pci-0000_00_1a_0-usb-0_1_2
MAJOR=189
MINOR=6
TAGS=:seat:uaccess:systemd:security-device:
CURRENT_TAGS=:seat:

UDEV  [524.261424] remove   /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2 (usb)
ACTION=remove
DEVPATH=/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2
SUBSYSTEM=usb
DEVNAME=/dev/bus/usb/001/007
DEVTYPE=usb_device
PRODUCT=20a0/4108/101
TYPE=0/0/0
BUSNUM=001
DEVNUM=007
SEQNUM=2908
USEC_INITIALIZED=469940924
ID_PATH=pci-0000:00:1a.0-usb-0:1.2
ID_PATH_TAG=pci-0000_00_1a_0-usb-0_1_2
ID_FOR_SEAT=usb-pci-0000_00_1a_0-usb-0_1_2
MAJOR=189
MINOR=6
TAGS=:security-device:seat:uaccess:systemd:
CURRENT_TAGS=:seat:

When I got some time I will setup a new Ubuntu 20.04 VM and try it again from scretch…

Hi @DieRuebe und @daringer

did you have any success. On arch linux I need to add the following lines to get the script to work.

pid_gnome=$(pgrep gnome-session|head -1)
DBUS_SESSION_BUS_ADDRESS=$(grep -z DBUS_SESSION_BUS_ADDRESS /proc/${pid_gnome}/environ|cut -d= -f2- | tr -d '\0\n')
export DBUS_SESSION_BUS_ADDRESS=${DBUS_SESSION_BUS_ADDRESS}

I took this from: linux - How to export DBUS_SESSION_BUS_ADDRESS - Stack Overflow

However, while it now works from the command line it doesn’t when dbus calls the script.

May 07 15:33:39 it72 kernel: usb 1-2: USB disconnect, device number 15
May 07 15:33:39 it72 systemd-udevd[65183]: 1-2:1.1: Process '/usr/local/bin/gnome-screensaver-lock' failed with exit code 1.
May 07 15:33:39 it72 systemd-udevd[65182]: 1-2:1.0: Process '/usr/local/bin/gnome-screensaver-lock' failed with exit code 1.
May 07 15:33:39 it72 systemd-udevd[65183]: 1-2: Process '/usr/local/bin/gnome-screensaver-lock' failed with exit code 1.

Any ideas?