From nobody Wed Sep 04 22:58:23 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzdFZ2Svpz5VY4V for ; Wed, 04 Sep 2024 22:58:26 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [IPv6:2a01:4f8:c012:f130::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4WzdFY41H8z4vgn for ; Wed, 4 Sep 2024 22:58:25 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of jbe-mlist@magnetkern.de designates 2a01:4f8:c012:f130::1 as permitted sender) smtp.mailfrom=jbe-mlist@magnetkern.de Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id D75675F4CF for ; Thu, 5 Sep 2024 00:58:25 +0200 (CEST) Date: Thu, 5 Sep 2024 00:58:23 +0200 From: Jan Behrens To: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-Id: <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> In-Reply-To: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.60 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_LONG(-1.00)[-0.998]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_NO_TLS_LAST(0.10)[]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[magnetkern.de]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4WzdFY41H8z4vgn I think I may have found the problem. If I'm right, it is an issue of pcsc-lite in combination with FreeBSD. Looking into pcsc-lite's file "src/auth.c", we find: #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) ... #else unsigned IsClientAuthorized(int socket, const char* action, const char* reader) { (void)socket; (void)action; (void)reader; return 1; } #endif See: https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 If I'm not mistaken, SO_PEERCRED is not set by the build system and it is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults to simply assume that any client is always authorized. Not good. I wasn't able to get the build working, so maybe someone can check if my guess is correct. Kind regards, Jan Behrens On Wed, 4 Sep 2024 10:41:47 +0200 Jan Behrens wrote: > Hello, > > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > "pcscd_enable" to "YES" in "/etc/rc.conf". > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > to it. When I create an unprivileged user account and log in from a > remote machine (through ssh), then this unprivileged user account can > use "ykman" to access my security key and, for example, list stored > credentials, generate one-time tokens, erase or temporariliy block the > device (by providing a wrong PIN), or even effectively brick it (if no > configuration password is set). > > As far as I understand, polkit should prohibit this. pcsc-lite installs > a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" > with the following contents: > > ------------ > > "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" > "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> > > The PCSC-lite Project > https://pcsclite.apdu.fr/ > > > > Access to the PC/SC daemon > Authentication is required to access the PC/SC daemon > > no > no > yes > > > > > Access to the smart card > Authentication is required to access the smart card > > no > no > yes > > > > > ------------ > > Changing "allow_active" from "yes" to "no" and restarting "pcscd" has > no impact either. > > I don't understand what is going on, but this behavior doesn't seem to > be correct. A non-privileged user (that isn't even member of group > "u2f") should not gain access to a security token plugged into the > machine. > > Is this behavior reproducible by others, or maybe just a configuration > mistake by me? > > I previously mentioned this issue here: > https://forums.FreeBSD.org/threads/94605/post-670209 > > Kind Regards, > Jan Behrens >