[Pcsclite-muscle] polkit and gdm

Andreas Schwier andreas.schwier at cardcontact.de
Wed Jul 24 00:36:13 PDT 2024 

Hi Ludovic,

we have first users reporting issues, where non-root users are denied 
access to pcscd [1].

I don't think, that enabling polkit without a permissive default is a 
good way forward, as I can't imagine users programming their polkit 
rules to enable access to cards.

This might turn into a major support nightmare.

Andreas

[1] https://support.nitrokey.com/t/unpriviledged-service-account/6369


On 24.01.24 21:42, Ludovic Rousseau wrote:
> Hello,
> 
> I just received a new Debian bug report "Bug#1061444: pcscd: GDM user
> is NOT authorized for action: access_pcsc"
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061444
> 
> Since pcsc-lite 2.0.1 poklit is enabled by default. This is the case
> in the Debian package since this version released in November 2023.
> https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/
> 
>  From the Debian bug report:
> " When looking at the logs of pcscd, I see the following messages:
> 
> jan 22 09:47:37 edoras pcscd[1663]: 00000000
> auth.c:125:IsClientAuthorized() Error in authorization:
> GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Process not found
> jan 22 09:47:37 edoras pcscd[1663]: 00000031
> auth.c:143:IsClientAuthorized() Process 1565 (user: 115) is NOT
> authorized for action: access_pcsc
> 
> It seems that GDM is not allowed to talk to pcscd.
> 
> GDM has the functionality to detect whether there is a smartcard in the
> reader and then use the gdm-smartcard PAM service instead of the
> gdm-password one to perform login.
> 
> I guess that GDM should be whitelisted to allow it to use pcscd? "
> 
> Red Hat has polkit enabled in pcsc-lite since a long time.
> I had a look at RHEL 8.6 to see how the system is configured.
> 
> - pcsc-lite package is provided with the default polkit rule fine
> https://github.com/LudovicRousseau/PCSC/blob/master/doc/org.debian.pcsc-lite.policy
> 
> - gdm provides a polkit rule file
> /usr/share/polkit-1/rules.d/org.gnome.gdm.rules
> polkit.addRule(function(action, subject) {
>      if (action.id == "org.freedesktop.NetworkManager.network-control" &&
>          subject.user == "gdm") {
>              return polkit.Result.NO;
>      }
> 
>      return polkit.Result.NOT_HANDLED;
> });
> So nothing to do with pcsc-lite.
> 
> My question: how is gdm-smartcard working on Red Hat?
> 
> I could add a polkit rule file in the pcscd Debian package to give
> access to Debian-gdm user.
> But maybe it is a better idea to add the polkit rule file in gdm
> package since that is gdm that is requesting access to pcsc.
> 
> What do you think?
> What do other GNU/Linux distributions do?
> 
> Thanks
> 

-- 
     ---------    CardContact Systems GmbH
    |.##> <##.|   Schülerweg 38
    |#       #|   D-32429 Minden, Germany
    |#       #|   Phone +49 571 56149
    |'##> <##'|   http://www.cardcontact.de
     ---------    Registergericht Bad Oeynhausen HRB 14880
                  Geschäftsführer Andreas Schwier

More information about the pcsclite-muscle mailing list