On 9/4/24 19:17, Jan Behrens wrote:
On Wed, 4 Sep 2024 18:14:56 -0500
Kyle Evans <kev...@freebsd.org> wrote:
On 9/4/24 17:58, Jan Behrens wrote:
I think I may have found the problem. If I'm right, it is an issue of
pcsc-lite in combination with FreeBSD.
Looking into pcsc-lite's file "src/auth.c", we find:
#if defined(HAVE_POLKIT) && defined(SO_PEERCRED)
...
[...]
See:
https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54
If I'm not mistaken, SO_PEERCRED is not set by the build system and it
is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults
to simply assume that any client is always authorized. Not good.
I wasn't able to get the build working, so maybe someone can check if
my guess is correct.
Kind regards,
Jan Behrens
Right, that'd be a problem. Something like this might work, but I
haven't even build tested it:
https://people.freebsd.org/~kevans/pcsc-auth.diff
It could be cleaned up a little bit if it works.
Thanks,
Kyle Evans
While that would fix things for FreeBSD, I still think it's not a good
idea to default to "always grant access" when a C macro is missing.
This could lead to unnoticed security vulnerabilities on other
platforms as we
I don't have a strong opinion about this, but my
I-spent-five-minutes-looking-at-PCSC assessment would tend to agree.
Maybe a better approach would be to make pcscd refuse to startup
without --disable-polkit on those plnatforms where Polkit or socket
authentication is not available/implemented. (And also add the fixes
for FreeBSD like you suggested, so this does not apply to FreeBSD.)
I have a stronger opinion here- polkit is a build-time configuration
option, and it absolutely should not build if there's no sane
IsClientAuthorized implementation for the platform. Failing open when
the software has lead you to believe that a policy will be doing access
control is a complete tragedy that, IMO, is probably more of an
oversight than an intentional decision.
Thanks,
Kyle Evans
