Re: Privileges using security tokens through PC/SC-daemon

Reply: Jan Behrens : "Re: Privileges using security tokens through PC/SC-daemon"
In reply to: Jan Behrens : "Re: Privileges using security tokens through PC/SC-daemon"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Wed, 04 Sep 2024 23:14:56 UTC

On 9/4/24 17:58, Jan Behrens wrote:
> I think I may have found the problem. If I'm right, it is an issue of
> pcsc-lite in combination with FreeBSD.
> 
> Looking into pcsc-lite's file "src/auth.c", we find:
> 
> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED)
> ...
> #else
> unsigned IsClientAuthorized(int socket, const char* action, const char* reader)
> {
> 	(void)socket;
> 	(void)action;
> 	(void)reader;
> 
> 	return 1;
> }
> 
> #endif
> 
> See:
> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54
> 
> If I'm not mistaken, SO_PEERCRED is not set by the build system and it
> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults
> to simply assume that any client is always authorized. Not good.
> 
> I wasn't able to get the build working, so maybe someone can check if
> my guess is correct.
> 
> Kind regards,
> Jan Behrens
> 

Right, that'd be a problem.  Something like this might work, but I 
haven't even build tested it:

https://people.freebsd.org/~kevans/pcsc-auth.diff

It could be cleaned up a little bit if it works.

Thanks,

Kyle Evans