How to dynamically disable fingerprint reader when the laptop is plugged in the thunderbold docking station
Create and edit the script:
sudo vi /usr/local/bin/thunderbolt-handler.shAdd the following content:
#!/bin/bash
if [ "$1" == "add" ]; then
logger "Thunderbolt device plugged in!"
authselect disable-feature with-fingerprint
echo "Thunderbolt device plugged in"
elif [ "$1" == "remove" ]; then
logger "Thunderbolt device unplugged!"
authselect enable-feature with-fingerprint
echo "Thunderbolt device unplugged"
else
echo "Unknown argument: $1"
fiGrant execution permessions:
sudo chmod +x /usr/local/bin/thunderbolt-handler.shCreate a new rule in /etc/udev/rules.d/99-thunderbolt.rules:
sudo vi /etc/udev/rules.d/99-thunderbolt.rulesPaste this:
SUBSYSTEM=="thunderbolt", ACTION=="add", RUN+="/usr/local/bin/thunderbolt-handler.sh add"
SUBSYSTEM=="thunderbolt", ACTION=="remove", RUN+="/usr/local/bin/thunderbolt-handler.sh remove"Reload rules and trigger:
sudo udevadm control --reload-rules
sudo udevadm triggerThen unplug and replug your Thunderbolt device to test.
-
Check if the rule fired using:
journalctl -xe | grep thunderboltUse
ENV{ID_MODEL}or similar to narrow the match. -
Identify your Thunderbolt device running:
udevadm monitor --environment --udev
Plug in your Thunderbolt device and check the events.
Here's a complete solution using a systemd service that runs at boot, checks if the lid is closed, and conditionally disables fingerprint auth.Here are all the files you need to create.
Here how to make sure that the fingerprint is disabled if the lid is closed since the boot time and no plugin event is detected:
1. Helper script
sudo vi /usr/local/bin/check-lid-fingerprint.shPaste this content:
#!/bin/bash
LID_STATE_FILE=$(find /proc/acpi/button/lid/*/state 2>/dev/null | head -n1)
if [[ -z "$LID_STATE_FILE" ]]; then
echo "No lid state file found, skipping."
exit 0
fi
STATE=$(cat "$LID_STATE_FILE")
if echo "$STATE" | grep -q "closed"; then
echo "Lid is closed — disabling fingerprint auth."
authselect disable-feature with-fingerprint
else
echo "Lid is open — enable fingerprint auth."
authselect enable-feature with-fingerprint
fiMake it executable:
sudo chmod +x /usr/local/bin/check-lid-fingerprint.sh2. The systemd unit — /etc/systemd/system/lid-fingerprint.service
sudo vi /etc/systemd/system/lid-fingerprint.servicePaste this content:
[Unit]
Description=Disable fingerprint auth when lid is closed at boot
After=multi-user.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/check-lid-fingerprint.sh
RemainAfterExit=no
[Install]
WantedBy=multi-user.target3. Enable the service
sudo systemctl daemon-reload
sudo systemctl enable lid-fingerprint.serviceYou can test it immediately without rebooting with:
sudo systemctl start lid-fingerprint.service
sudo systemctl status lid-fingerprint.serviceHow it works: The service runs once after multi-user.target (i.e. after the normal boot sequence completes). The script checks /proc/acpi/button/lid/*/state — the kernel file that reports lid position — and only calls authselect disable-feature with-fingerprint if the value is closed. If the lid is open, it exits cleanly without touching anything.
Note:
authselect disable-featureis idempotent, so running it when the feature is already disabled is harmless. If you also want to re-enable fingerprint auth when the lid is opened later (at runtime), you'd need audevrule on the lid switch event — let me know if you want that too.