[Pcsclite-muscle] systemd pcscd.service hardening
Ludovic Rousseau
ludovic.rousseau at gmail.com
Mon Jan 20 12:50:58 PST 2025
Hello Ran,
Le dim. 19 janv. 2025 à 21:58, Ran Benita <ran at unusedvar.com> a écrit :
>
> On Sun, Jan 19, 2025, at 17:48, Ludovic Rousseau wrote:
> > # System Call Filtering
> > SystemCallFilter=@system-service
> > SystemCallFilter=~@resources @privileged
>
> In my experience, removing @privileged isn't worth it, there's too much code making occasional use
> of e.g. fchown, and debugging seccomp kills is not easy for ordinary users.
My request is exactly to ask people to test this configuration.
If removing @privileged is problematic I will remove it.
I don't understand "debugging seccomp kills is not easy for ordinary users".
> The largest sandboxing omission is of course - running as a non-root user. As long as pcscd is running
> as root, it'd be very hard to avoid sandbox escapes. What are the reasons that pcscd needs root?
>
> The biggest one I know of is access to (USB) devices, but I think the IFD handlers can install udev
> rules giving the pcscd user (and only the pcscd user) access to their relevant devices (and only their
> relevant devices).
>
> Are there other reasons?
A long time ago (in pcsc-lite version 1.6.5) I tried to run pcscd as
the pcscd user with udev rules to set the access rights
See "pcscd auto start" https://blog.apdu.fr/posts/2010/09/pcscd-auto-start/
The pcscd process was started by the libpcsclite.so.1 library
It was added in
https://github.com/LudovicRousseau/PCSC/commit/87f64dd767b2277223f79941b317119d16df9468
(Nov 27, 2009)
This was removed in
https://github.com/LudovicRousseau/PCSC/commit/244664b6b31e723728d409dd178ed11722d83a84
(Nov 14, 2011) to use systemd instead.
The plan was to work on restrictions and run pcscd process as a normal
user again.
We also had to convert all the drivers to use a udev rule file.
But motivation and time was missing.
> (I did a web search now, and found your old blog post about this:
> https://ludovicrousseau.blogspot.com/2010/12/configuring-your-system-for-pcscd-auto.html
> but this is no longer present, so I guess it didn't work out?)
The comment from
https://github.com/LudovicRousseau/PCSC/commit/244664b6b31e723728d409dd178ed11722d83a84
is:
" Remove pcscd autostart feature
The auto start feature (launch pcscd from the library if not already
running) was a fragile code with some issues. This service is far
better implemented by systemd.
Thanks to Kalev Lember for pushing the systemd patches. "
But I do not remember the details of what were the problems 15 years ago.
I should have been more explicit in the commit message.
Bye
--
Dr. Ludovic Rousseau
More information about the pcsclite-muscle
mailing list