[Pcsclite-muscle] Change the error code when PC/SC access is refused by polkit?

Ludovic Rousseau ludovic.rousseau at gmail.com
Sat Aug 20 07:08:07 PDT 2022 

Hello,

Thanks Martin and Maksim for your comments.

I implemented the change in
https://github.com/LudovicRousseau/PCSC/commit/68f629ffecaec3886c717021e70ac62c22b38bd8
and https://github.com/LudovicRousseau/PCSC/commit/1935b6997b281f0d836b829b4cfeeab6c81c3ded

You can get a snapshot of pcsc-lite from
http://ludovic.rousseau.free.fr/softwares/pcsc-lite/pcsc-lite-1.9.8-1935b69.tar.bz2
Please test it, in particular if you use Polkit (i.e. RedHat or Fedora).

Regards,

Le jeu. 11 août 2022 à 14:04, Maksim Ivanov <emaxx at google.com> a écrit :
>
> Hi,
>
> Just my 2 cents: the "SCARD_W_SECURITY_VIOLATION" error code sounds like a reasonable reply for the "NOT authorized for action" error.
>
>
> Regards,
> Maksim
>
>
> On Fri, Jul 29, 2022 at 4:33 PM Ludovic Rousseau <ludovic.rousseau at gmail.com> wrote:
>>
>> Hello,
>>
>> I am using PC/SC on CentOS/RedHat and I am often surprised when I get the error:
>> $ pcsc_scan
>> SCardEstablishContext: RPC transport error.
>>
>> The error code is SCARD_F_COMM_ERROR
>> https://pcsclite.apdu.fr/api/group__ErrorCodes.html#ga93d3cf468d69423eab1d478a7a870408
>>
>> From the pcscd logs I see:
>> 00000003 [139737213696960] pcscdaemon.c:133:SVCServiceRunLoop() A new
>> context thread creation is requested: 10
>> 00019807 [139737012623104] auth.c:139:IsClientAuthorized() Process
>> 41685 (user: 1000) is NOT authorized for action: access_pcsc
>> 00000107 [139737012623104] winscard_svc.c:335:ContextThread() Rejected
>> unauthorized PC/SC client
>>
>> So I get SCARD_F_COMM_ERROR because auth.c (in fact polkit) decided I
>> should not have access to PC/SC.
>> For example this happens when I connect to the computer using ssh, and
>> not from the console.
>>
>> The error is even more confusing if you enable logs in the client:
>> $ PCSCLITE_DEBUG=0 pcsc_scan
>> winscard_clnt.c:605:SCardEstablishContextTH() Your pcscd is too old
>> and does not support CMD_VERSION
>> SCardEstablishContext: RPC transport error.
>>
>> The problem is NOT that pcscd is too old :-)
>>
>>
>> I was thinking: maybe a more explicit error code would be better?
>> Maybe SCARD_E_SYSTEM_CANCELLED or SCARD_W_SECURITY_VIOLATION
>>
>> I do not want to invent a new WinSCard return value.
>> We should use one form the list
>> https://docs.microsoft.com/en-us/windows/win32/secauthn/authentication-return-values
>>
>> I don't know if it is easy to implement. When polkit refuses the
>> connection the pcscd server just closes the socket without sending
>> *anything* to the client.
>>
>> Any comment?
>>
>> Regards,
>>
>> --
>>  Dr. Ludovic Rousseau
>>
>> _______________________________________________
>> pcsclite-muscle mailing list
>> pcsclite-muscle at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/pcsclite-muscle
>
>


-- 
 Dr. Ludovic Rousseau

More information about the pcsclite-muscle mailing list