[Pcsclite-muscle] systemd pcscd.service hardening

Ludovic Rousseau ludovic.rousseau at gmail.com
Sat Aug 2 07:00:43 PDT 2025 

Hello,

The next version of pcsc-lite (expected in September) should provide a
security improvement: pcscd will run as a normal user, not as root.
Thanks to Ran for the plan bellow and proposed patches.

You can have a look at the pcsc-lite patches in
https://github.com/LudovicRousseau/PCSC-devel/
and CCID patches in https://github.com/LudovicRousseau/CCID-devel/

In particular the important patches are:
- "Run pcscd under a pcscd user instead of root when using systemd"
https://github.com/LudovicRousseau/PCSC-devel/commit/387459dbffa2700e834ec6926a33a457bf81b09e
- "Give pcscd group permission to CCID devices in udev rule"
https://github.com/LudovicRousseau/CCID-devel/commit/030278ed1738672e95d8e0c1111a5724421babef

If you are maintainer of a driver for pcsc-lite you will have to
update your driver to give access to group "pcscd" to your device when
plugged.
A udev rule file containing something like:
ATTRS{idVendor}=="xxxx", ATTRS{idProduct}=="yyyy", GROUP="pcscd"
Replace "xxxx" & "yyyy" by your vendor and product USB IDs.

The pcscd user and pcscd group will be created by pcsc-lite (or its packaging).
You should not have to do it in the driver itself.

I will do the changes for pcsc-lite, CCID driver and the corresponding
Debian packages.
But I will not modify the other drivers.

If you need help for your driver please write on this list or contact
me directly.

Regards,

Le lun. 20 janv. 2025 à 22:39, Ran Benita <ran at unusedvar.com> a écrit :

> I'm willing to work on this if you are willing. A rough plan:
>
> 1. Make an experimental PCSC branch which runs as a pcscd user instead of root on Linux.
> Combine with current experiment, do it concurrently, or do it after?
>
> 2. Make an experimental CCID branch which installs the appropriate udev rules on Linux.
> Hopefully it's possible to make this conditional on the existence of a pcscd user, so there is
> no hard dependency on (1).
> Writing a rule that matches all USB CCID devices should be possible (you already show it in
> your blog). I'm less familiar with any other device types that CCID driver supports, like PCI or
> serial, hopefully you could fill me in on those.
>
> 3. Announce the intention to change pcscd to not run as root, specifically mentioning that
> custom drivers will no longer have access to devices by default, and will need to install
> appropriate udev rules giving the pcscd user permission to their devices. Explain how
> to test.
>
> 4. Document how to make pcscd run as root again (place a systemd drop-in file), as a last
> resort.
>
> 5. After some time, if testing went well, release it.
>
> Ran

-- 
 Dr. Ludovic Rousseau

More information about the pcsclite-muscle mailing list