[Pcsclite-muscle] Change the error code when PC/SC access is refused by polkit?

Maksim Ivanov emaxx at google.com
Thu Aug 11 05:07:45 PDT 2022


Hi,

Just my 2 cents: the "SCARD_W_SECURITY_VIOLATION" error code sounds
like a reasonable reply for the "NOT authorized for action" error.

But I don't know either how easy it'd be to implement it.


Regards,
Maksim


On Fri, Jul 29, 2022 at 4:33 PM Ludovic Rousseau
<ludovic.rousseau at gmail.com> wrote:
>
> Hello,
>
> I am using PC/SC on CentOS/RedHat and I am often surprised when I get the error:
> $ pcsc_scan
> SCardEstablishContext: RPC transport error.
>
> The error code is SCARD_F_COMM_ERROR
> https://pcsclite.apdu.fr/api/group__ErrorCodes.html#ga93d3cf468d69423eab1d478a7a870408
>
> From the pcscd logs I see:
> 00000003 [139737213696960] pcscdaemon.c:133:SVCServiceRunLoop() A new
> context thread creation is requested: 10
> 00019807 [139737012623104] auth.c:139:IsClientAuthorized() Process
> 41685 (user: 1000) is NOT authorized for action: access_pcsc
> 00000107 [139737012623104] winscard_svc.c:335:ContextThread() Rejected
> unauthorized PC/SC client
>
> So I get SCARD_F_COMM_ERROR because auth.c (in fact polkit) decided I
> should not have access to PC/SC.
> For example this happens when I connect to the computer using ssh, and
> not from the console.
>
> The error is even more confusing if you enable logs in the client:
> $ PCSCLITE_DEBUG=0 pcsc_scan
> winscard_clnt.c:605:SCardEstablishContextTH() Your pcscd is too old
> and does not support CMD_VERSION
> SCardEstablishContext: RPC transport error.
>
> The problem is NOT that pcscd is too old :-)
>
>
> I was thinking: maybe a more explicit error code would be better?
> Maybe SCARD_E_SYSTEM_CANCELLED or SCARD_W_SECURITY_VIOLATION
>
> I do not want to invent a new WinSCard return value.
> We should use one form the list
> https://docs.microsoft.com/en-us/windows/win32/secauthn/authentication-return-values
>
> I don't know if it is easy to implement. When polkit refuses the
> connection the pcscd server just closes the socket without sending
> *anything* to the client.
>
> Any comment?
>
> Regards,
>
> --
>  Dr. Ludovic Rousseau
>
> _______________________________________________
> pcsclite-muscle mailing list
> pcsclite-muscle at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/pcsclite-muscle



More information about the pcsclite-muscle mailing list