[Pcsclite-muscle] polkit and gdm
Andreas Schwier
andreas.schwier at cardcontact.de
Wed Jul 24 03:12:24 PDT 2024
OK, so the default is, that a local user has access, but a user
connected by ssh doesn't ?
On 24.07.24 11:18, Ludovic Rousseau wrote:
> Le mer. 24 juil. 2024 à 09:37, Andreas Schwier
> <andreas.schwier at cardcontact.de> a écrit :
>>
>> Hi Ludovic,
>
> Hello Andreas,
>
>> we have first users reporting issues, where non-root users are denied
>> access to pcscd [1].
>
> It is not clear if the access is done through a remote connection or not.
> I have no problem if I run (similar to what the user uses in the bug report):
> # sudo -H -u rousseau bash -c "pcsc_scan -r"
>
> If you connect to the computer using ssh, yes it will fail by default.
>
>> I don't think, that enabling polkit without a permissive default is a
>> good way forward, as I can't imagine users programming their polkit
>> rules to enable access to cards.
>
> Any local user (locally connected) has access to PC/SC.
>
> It would also be possible to grant access to users of a group named
> "smartcard" or something similar.
> But the group would be created empty.
>
> A sane security default is always difficult to choose. I do not know
> the perfect answer.
>
>> This might turn into a major support nightmare.
>
> Red Hat has polkit enabled since years.
> I have not received complaints.
>
>> [1] https://support.nitrokey.com/t/unpriviledged-service-account/6369
>
> Bye
>
--
--------- CardContact Systems GmbH
|.##> <##.| Schülerweg 38
|# #| D-32429 Minden, Germany
|# #| Phone +49 571 56149
|'##> <##'| http://www.cardcontact.de
--------- Registergericht Bad Oeynhausen HRB 14880
Geschäftsführer Andreas Schwier
More information about the pcsclite-muscle
mailing list