[Pcsclite-muscle] polkit and gdm
Ludovic Rousseau
ludovic.rousseau at gmail.com
Wed Jul 24 02:18:52 PDT 2024
Le mer. 24 juil. 2024 à 09:37, Andreas Schwier
<andreas.schwier at cardcontact.de> a écrit :
>
> Hi Ludovic,
Hello Andreas,
> we have first users reporting issues, where non-root users are denied
> access to pcscd [1].
It is not clear if the access is done through a remote connection or not.
I have no problem if I run (similar to what the user uses in the bug report):
# sudo -H -u rousseau bash -c "pcsc_scan -r"
If you connect to the computer using ssh, yes it will fail by default.
> I don't think, that enabling polkit without a permissive default is a
> good way forward, as I can't imagine users programming their polkit
> rules to enable access to cards.
Any local user (locally connected) has access to PC/SC.
It would also be possible to grant access to users of a group named
"smartcard" or something similar.
But the group would be created empty.
A sane security default is always difficult to choose. I do not know
the perfect answer.
> This might turn into a major support nightmare.
Red Hat has polkit enabled since years.
I have not received complaints.
> [1] https://support.nitrokey.com/t/unpriviledged-service-account/6369
Bye
--
Dr. Ludovic Rousseau
More information about the pcsclite-muscle
mailing list