Privileges using security tokens through PC/SC-daemon

Reply: henrichhartzer_a_tuta.io: "Re: Privileges using security tokens through PC/SC-daemon"
Reply: Tomek CEDRO : "Re: Privileges using security tokens through PC/SC-daemon"
Reply: Jan Behrens : "Re: Privileges using security tokens through PC/SC-daemon"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Jan Behrens <jbe-mlist_at_magnetkern.de>
Date: Wed, 04 Sep 2024 08:41:47 UTC

Hello,

I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set
"pcscd_enable" to "YES" in "/etc/rc.conf".

My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected
to it. When I create an unprivileged user account and log in from a
remote machine (through ssh), then this unprivileged user account can
use "ykman" to access my security key and, for example, list stored
credentials, generate one-time tokens, erase or temporariliy block the
device (by providing a wrong PIN), or even effectively brick it (if no
configuration password is set).

As far as I understand, polkit should prohibit this. pcsc-lite installs
a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy"
with the following contents:

------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>The PCSC-lite Project</vendor>
  <vendor_url>https://pcsclite.apdu.fr/</vendor_url>
<!--  <icon_name>smart-card</icon_name> -->

  <action id="org.debian.pcsc-lite.access_pcsc">
    <description>Access to the PC/SC daemon</description>
    <message>Authentication is required to access the PC/SC daemon</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

  <action id="org.debian.pcsc-lite.access_card">
    <description>Access to the smart card</description>
    <message>Authentication is required to access the smart card</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

</policyconfig>
------------

Changing "allow_active" from "yes" to "no" and restarting "pcscd" has
no impact either.

I don't understand what is going on, but this behavior doesn't seem to
be correct. A non-privileged user (that isn't even member of group
"u2f") should not gain access to a security token plugged into the
machine.

Is this behavior reproducible by others, or maybe just a configuration
mistake by me?

I previously mentioned this issue here:
https://forums.FreeBSD.org/threads/94605/post-670209

Kind Regards,
Jan Behrens