[Pcsclite-muscle] [PATCH] pcsc-lite & polkit: allow auth_admin

Ludovic Rousseau ludovic.rousseau
Thu Dec 4 07:07:36 PST 2014


2014-12-04 14:59 GMT+01:00 Nikos Mavrogiannopoulos <nmav at redhat.com>:
> On Thu, 2014-12-04 at 11:19 +0100, Ludovic Rousseau wrote:
>> 2014-12-04 9:36 GMT+01:00 Nikos Mavrogiannopoulos <nmav at redhat.com>:
>> > ----- Original Message -----
>> >
>> >> Possible problem: If the authorization agent is present and active,
>> >> polkit_authority_check_authorization_sync() could take a long time (the
>> >> time of users' response). If the next request comes in the same time, it
>> >> is postponed until the previous one is handled. (Actions done by root
>> >> are not postponed.)
>> >
>> > Indeed, and that is the reason it is disabled. I found that unacceptable for
>> > a server that can serve multiple requests. A client can always authenticate
>> > as admin using su, and then use pcscd.
>>
>> Should I revert the patch?
>
> The drawback of that approach is that each accept()ed session will be blocked
> until the password is entered and sent by the user. If the user goes for lunch
> without entering a password that session will be blocked from processing any
> other requests. I cannot predict how that would affect typical pcscd usage.
> I think that it would be better for that change to be combined with using polkit
> asynchronously.

IsClientAuthorized() is called only from ContextThread(). This code is
running in a thread dedicated to the PC/SC client (in fact dedicated
to a SCardEstablishContext context). So blocking this thread should
not affect the other pcscd tasks.

Do you think the change proposed by Stanislav is still a problem?

Bye

-- 
 Dr. Ludovic Rousseau




More information about the pcsclite-muscle mailing list