[Pcsclite-muscle] New version of pcsc-lite: 2.3.1

Greg Troxel gdt at lexort.com
Fri Dec 27 07:01:53 PST 2024 

Ludovic Rousseau <ludovic.rousseau at gmail.com> writes:

> Polkit is used since 2014 and is enabled by default since Nov 2023.
>
> Support of FreeBSD was added in
> https://github.com/LudovicRousseau/PCSC/commit/19d0b26402a3d584186ff28d4c528382d7fd1a5e
> But it looks like NetBSD do not have LOCAL_PEERCRED.
> A patch is welcome.

Reading that diff, I'm not sure how this built before.

It looks like the other half of the ifdef freebsd is linux, not
"everything else".  But it looks like there are changes since.

Looking at 2.3.0::

  #if defined(HAVE_POLKIT) && defined(SO_PEERCRED)

  #include <polkit/polkit.h>
  #include <stdbool.h>

  extern bool disable_polkit;

  /* Returns non zero when the client is authorized */
  unsigned IsClientAuthorized(int socket, const char* action, const char* reader)
  {
          struct ucred cr;

the logic is as I'd expect.

My diff is wrong, but I think the basic concept, of only compiling the
peercred-using IsClientAuthorized if both polkit is present and there is
one or the other PEERCRED define is present, is sound.

NetBSD has LOCAL_CREDS which gets you a struct sockcred.   Probably
that's in OpenBSD as well.

I am surprised this is different; I would have guessed it dated back to
4.3BSD.   FreeBSD's unix(4) says


       Credentials of the sending process can be transmitted explicitly	 using
       a  control message of type SCM_CREDS with a data	portion	of type	struct
       cmsgcred, defined in <sys/socket.h> as follows:

       struct cmsgcred {
	 pid_t cmcred_pid;	       /* PID of sending process */
	 uid_t cmcred_uid;	       /* real UID of sending process */
	 uid_t cmcred_euid;	       /* effective UID	of sending process */
	 gid_t cmcred_gid;	       /* real GID of sending process */
	 short cmcred_ngroups;	       /* number of groups */
	 gid_t cmcred_groups[CMGROUP_MAX];     /* groups */
       };

       The sender should pass a	zeroed buffer which will be filled in  by  the
       system.

I see also that FreeBSD supports LOCAL_CREDS, and that support appears
to be the same as NetBSD.

I am guessing that the PEERCRED approach was chosen because it can be
queried on a socket, rather than enabled on the socket and then using
recvmsg.

More information about the pcsclite-muscle mailing list