[Pcsclite-muscle] Change the error code when PC/SC access is refused by polkit?
Ludovic Rousseau
ludovic.rousseau at gmail.com
Fri Jul 29 07:32:58 PDT 2022
Hello,
I am using PC/SC on CentOS/RedHat and I am often surprised when I get the error:
$ pcsc_scan
SCardEstablishContext: RPC transport error.
The error code is SCARD_F_COMM_ERROR
https://pcsclite.apdu.fr/api/group__ErrorCodes.html#ga93d3cf468d69423eab1d478a7a870408
>From the pcscd logs I see:
00000003 [139737213696960] pcscdaemon.c:133:SVCServiceRunLoop() A new
context thread creation is requested: 10
00019807 [139737012623104] auth.c:139:IsClientAuthorized() Process
41685 (user: 1000) is NOT authorized for action: access_pcsc
00000107 [139737012623104] winscard_svc.c:335:ContextThread() Rejected
unauthorized PC/SC client
So I get SCARD_F_COMM_ERROR because auth.c (in fact polkit) decided I
should not have access to PC/SC.
For example this happens when I connect to the computer using ssh, and
not from the console.
The error is even more confusing if you enable logs in the client:
$ PCSCLITE_DEBUG=0 pcsc_scan
winscard_clnt.c:605:SCardEstablishContextTH() Your pcscd is too old
and does not support CMD_VERSION
SCardEstablishContext: RPC transport error.
The problem is NOT that pcscd is too old :-)
I was thinking: maybe a more explicit error code would be better?
Maybe SCARD_E_SYSTEM_CANCELLED or SCARD_W_SECURITY_VIOLATION
I do not want to invent a new WinSCard return value.
We should use one form the list
https://docs.microsoft.com/en-us/windows/win32/secauthn/authentication-return-values
I don't know if it is easy to implement. When polkit refuses the
connection the pcscd server just closes the socket without sending
*anything* to the client.
Any comment?
Regards,
--
Dr. Ludovic Rousseau
More information about the pcsclite-muscle
mailing list