[Pcsclite-muscle] polkit and gdm
Ludovic Rousseau
ludovic.rousseau at gmail.com
Wed Jan 24 12:42:17 PST 2024
Hello,
I just received a new Debian bug report "Bug#1061444: pcscd: GDM user
is NOT authorized for action: access_pcsc"
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061444
Since pcsc-lite 2.0.1 poklit is enabled by default. This is the case
in the Debian package since this version released in November 2023.
https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/
>From the Debian bug report:
" When looking at the logs of pcscd, I see the following messages:
jan 22 09:47:37 edoras pcscd[1663]: 00000000
auth.c:125:IsClientAuthorized() Error in authorization:
GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Process not found
jan 22 09:47:37 edoras pcscd[1663]: 00000031
auth.c:143:IsClientAuthorized() Process 1565 (user: 115) is NOT
authorized for action: access_pcsc
It seems that GDM is not allowed to talk to pcscd.
GDM has the functionality to detect whether there is a smartcard in the
reader and then use the gdm-smartcard PAM service instead of the
gdm-password one to perform login.
I guess that GDM should be whitelisted to allow it to use pcscd? "
Red Hat has polkit enabled in pcsc-lite since a long time.
I had a look at RHEL 8.6 to see how the system is configured.
- pcsc-lite package is provided with the default polkit rule fine
https://github.com/LudovicRousseau/PCSC/blob/master/doc/org.debian.pcsc-lite.policy
- gdm provides a polkit rule file
/usr/share/polkit-1/rules.d/org.gnome.gdm.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.network-control" &&
subject.user == "gdm") {
return polkit.Result.NO;
}
return polkit.Result.NOT_HANDLED;
});
So nothing to do with pcsc-lite.
My question: how is gdm-smartcard working on Red Hat?
I could add a polkit rule file in the pcscd Debian package to give
access to Debian-gdm user.
But maybe it is a better idea to add the polkit rule file in gdm
package since that is gdm that is requesting access to pcsc.
What do you think?
What do other GNU/Linux distributions do?
Thanks
--
Dr. Ludovic Rousseau
More information about the pcsclite-muscle
mailing list