Re: Privileges using security tokens through PC/SC-daemon

Reply: Kyle Evans : "Re: Privileges using security tokens through PC/SC-daemon"
In reply to: Jan Behrens : "Re: Privileges using security tokens through PC/SC-daemon"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Thu, 05 Sep 2024 02:58:23 UTC

On 9/4/24 19:17, Jan Behrens wrote:
> On Wed, 4 Sep 2024 18:14:56 -0500
> Kyle Evans <kevans@FreeBSD.org> wrote:
> 
>> On 9/4/24 17:58, Jan Behrens wrote:
>>> I think I may have found the problem. If I'm right, it is an issue of
>>> pcsc-lite in combination with FreeBSD.
>>>
>>> Looking into pcsc-lite's file "src/auth.c", we find:
>>>
>>> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED)
>>> ...
>>>
>>> [...]
>>>
>>> See:
>>> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54
>>>
>>> If I'm not mistaken, SO_PEERCRED is not set by the build system and it
>>> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults
>>> to simply assume that any client is always authorized. Not good.
>>>
>>> I wasn't able to get the build working, so maybe someone can check if
>>> my guess is correct.
>>>
>>> Kind regards,
>>> Jan Behrens
>>>
>>
>> Right, that'd be a problem.  Something like this might work, but I
>> haven't even build tested it:
>>
>> https://people.freebsd.org/~kevans/pcsc-auth.diff
>>
>> It could be cleaned up a little bit if it works.
>>
>> Thanks,
>>
>> Kyle Evans
>>
> 
> While that would fix things for FreeBSD, I still think it's not a good
> idea to default to "always grant access" when a C macro is missing.
> This could lead to unnoticed security vulnerabilities on other
> platforms as we

I don't have a strong opinion about this, but my 
I-spent-five-minutes-looking-at-PCSC assessment would tend to agree.

> Maybe a better approach would be to make pcscd refuse to startup
> without --disable-polkit on those plnatforms where Polkit or socket
> authentication is not available/implemented. (And also add the fixes
> for FreeBSD like you suggested, so this does not apply to FreeBSD.)
> 

I have a stronger opinion here- polkit is a build-time configuration 
option, and it absolutely should not build if there's no sane 
IsClientAuthorized implementation for the platform.  Failing open when 
the software has lead you to believe that a policy will be doing access 
control is a complete tragedy that, IMO, is probably more of an 
oversight than an intentional decision.

Thanks,

Kyle Evans