[Pcsclite-muscle] [PATCH] pcsc-lite & polkit: allow auth_admin

Stanislav Brabec sbrabec
Fri Dec 5 10:37:45 PST 2014 

Nikos Mavrogiannopoulos:

> I remember I have practical issues with polkit authentication enabled,
> and that why it was explicitly disabled. It's been some time and I may
> be wrong, but you may know better whether an application (e.g. a gnome
> component) could potentially use a single pcscd connection for multiple
> requests sent in parallel. If Stanislav has, however, tested such use
> cases and they cause no issue I have no problem with the change.

Well, in this case, please disable it by changing "auth_admin" to "no" 
(my second patch in the thread).

Yes, "auth_admin" still causes issues: Second app is waiting until you 
authorize first waiting app. Then second app wakes, and asks for 
password as well. And you will be asked twice. First time to obtain 
permission to access the reader, second time to access the card.

This is ugly, but it is the correct behavior of "auth_admin".

You can use "auth_admin_keep" to prevent these problems: In the next 5 
minutes, all applications in the same session will be allowed to access 
without the consequent authorization.

Maybe more complicated implementation of polkit integration would make 
possible auth_admin asking just once. But it is a lot of work with a 
small benefit.

>> Stanislav Brabec wrote:
>> Well, We can keep the patch and change defaults. Then the default
>> configuration can never cause delays, but users of ssh remote sessions
>> and so will still be able to authorize after admin's conscious changes
>> of configuration.
>
> I find that wrong. The policy should not be used to correct a software
> issue.

Well, the current default configuration with "auth_admin" for inactive 
and non-logged users with the current version (without the first patch) 
works exactly the same as "no". Without 
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION "auth_admin" 
behaves exactly as "no".

If project applies both patches, pcsc-lite will behave exactly like 
before, but keeping open a chance to allow challenge/response auth 
possible after a configuration change.

Well, I don't see a reason for auth_admin in the default configuration. 
no:no:yes looks OK for me.

But the patch allow more configurations possible:
- relaxing rule: Allow ssh user to access after entering admin password.
   auth_admin:auth_admin:yes
- hardening rule: Even local user must repeat password to use
   card/reader.
   no:no:auth_user_keep

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
Lihovarsk? 1060/12                            tel: +49 911 7405384547
190 00 Praha 9                                 fax:  +420 284 084 001
Czech Republic                                    http://www.suse.cz/
PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76

More information about the pcsclite-muscle mailing list