Comment 4 for bug 235297

Earlier versions of thinkfinger did store the fingerprint in a "secure location". They would be stored as /etc/pam_thinkfinger/USERNAME.bir with the directory and files only accessible by root. The pam_thinkfinger code may still support this.

Unfortunately this led to two problems:

 * The files had to be copied to multiple machines even when users had a single networked home directory
 * Fingerprint verification could only be done when the pam_thinkfinger module is running as root. This broke many things #138957

In Hardy thinkfinger was changed to use your home directory so that there are no issues with needing to run the pam modules as root.

If you still want root only access to the fingerprints then you'll need to write a setuid helper module for authentication - https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/138957/comments/6 If you have access to the user home directory then your setuid enrollment program won't help since the bad guy can just run it as you and enroll their fingerprint, although the real user will eventually discover that theirs no longer works.

Lastly if you have the ability to modify files in someone's directory then you can trivially get root in other ways, such as changing their $PATH to point to a trojaned version of sudo which records the password, an ssh_agent that captures their password/keys etc.

The best way of looking at the security of all this is how much would a bad guy charge to crack the systems (which would be relative to the level of difficulty and risk of getting caught). USB keyloggers are in the 10s of dollars. Fingerprints are a similar amount of money. See the mythbusters episode where they used latex, ballistic gel and even photocopies.