[Pcsclite-muscle] [PATCH] pcsc-lite & polkit: allow auth_admin

Ludovic Rousseau ludovic.rousseau
Fri Dec 5 00:19:42 PST 2014


Nikos,

Any comment on that?
What would you prefer?
As the original author of the auth.c source code file you may have the
last word.

I do not want to be in the middle of a RedHat vs. SUSE battle for
Policy Kit issues :-)

Bye

2014-12-04 21:07 GMT+01:00 Stanislav Brabec <sbrabec at suse.cz>:
> On Dec 4, 2014 at 16:07 Ludovic Rousseau wrote:
>
>> IsClientAuthorized() is called only from ContextThread(). This code is
>> running in a thread dedicated to the PC/SC client (in fact dedicated
>> to a SCardEstablishContext context). So blocking this thread should
>> not affect the other pcscd tasks.
>>
>> Do you think the change proposed by Stanislav is still a problem?
>>
> Well, We can keep the patch and change defaults. Then the default
> configuration can never cause delays, but users of ssh remote sessions
> and so will still be able to authorize after admin's conscious changes
> of configuration.
>
> This configuration will behave exactly equally as the previous one
> without previous patch.
>
> Index: pcsc-lite-1.8.13/doc/org.debian.pcsc-lite.policy
> ===================================================================
> --- pcsc-lite-1.8.13.orig/doc/org.debian.pcsc-lite.policy
> +++ pcsc-lite-1.8.13/doc/org.debian.pcsc-lite.policy
> @@ -9,20 +9,20 @@
>
>    <action id="org.debian.pcsc-lite.access_pcsc">
>      <description>Access to the PC/SC daemon</description>
> -    <message>Authentication is required to access the PC/SC daemon</message>
> +    <message>Authentication is required to access the PC/SC daemon. Warning: Use of "auth_admin" can cause processing delays!</message>
>      <defaults>
> -      <allow_any>auth_admin</allow_any>
> -      <allow_inactive>auth_admin</allow_inactive>
> +      <allow_any>no</allow_any>
> +      <allow_inactive>no</allow_inactive>
>        <allow_active>yes</allow_active>
>      </defaults>
>    </action>
>
>    <action id="org.debian.pcsc-lite.access_card">
>      <description>Access to the smart card</description>
> -    <message>Authentication is required to access the smart card</message>
> +    <message>Authentication is required to access the PC/SC daemon. Warning: Use of "auth_admin" can cause processing delays!</message>
>      <defaults>
> -      <allow_any>auth_admin</allow_any>
> -      <allow_inactive>auth_admin</allow_inactive>
> +      <allow_any>no</allow_any>
> +      <allow_inactive>no</allow_inactive>
>        <allow_active>yes</allow_active>
>      </defaults>
>    </action>
>
> --
> Best Regards / S pozdravem,
>
> Stanislav Brabec
> software developer
> ---------------------------------------------------------------------
> SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
> Lihovarsk? 1060/12                            tel: +49 911 7405384547
> 190 00 Praha 9                                 fax:  +420 284 084 001
> Czech Republic                                    http://www.suse.cz/
> PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76
>
> _______________________________________________
> Pcsclite-muscle mailing list
> Pcsclite-muscle at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle



-- 
 Dr. Ludovic Rousseau




More information about the pcsclite-muscle mailing list