[Pcsclite-muscle] [PATCH] pcsc-lite & polkit: allow auth_admin

Stanislav Brabec sbrabec
Fri Dec 5 10:24:10 PST 2014


Martin Paljak wrote:

> Does this mean that in standard configuration I shall not be able to use
> (on certain distros) smart cards from SSH connections?

Not only smart cards. The default polkit configuration rejects any 
hardware access (sound, Wi-Fi configuration, reboot/suspend, USB mass 
storage mount) for remote non-root users.

But admin is able to change the default by adding a polkit rule.

> IMHO the *default* answer should be "NO, you can still access smart
> cards from SSH remote connections after this patch, without admin's
> conscious configuration changes"

Polkit authors and desktop security people have a different opinion.

The polkit uses following security concept: You can be either "locally 
logged active user", "locally logged inactive user" or "any user".

If you are using "ssh -X me at mydevice", you are "any user" (someting like 
unprivileged user).

Most of desktop hardware services are permitted for "locally logged 
active user" only. It is a wanted behavior. In the fact, it is the 
purpose of polkit:

Imagine a large machine with many users. One user is sitting at the 
desk, authorizing a transaction with a smart card. "Any user", which 
logs into the machine using SSH, MUST NOT be able to use that smart card.

Without the patch, admin can configure only "yes" or "no" for the user 
categories mentioned before. The patch adds possibility to use 
"auth_admin": allow access only after entering admin's password.

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
Lihovarsk? 1060/12                            tel: +49 911 7405384547
190 00 Praha 9                                 fax:  +420 284 084 001
Czech Republic                                    http://www.suse.cz/
PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76




More information about the pcsclite-muscle mailing list