From nobody Thu Sep 05 03:32:03 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzlKK2mtSz5Tkpq for ; Thu, 05 Sep 2024 03:32:05 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzlKK2D6Zz4sJc for ; Thu, 5 Sep 2024 03:32:05 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725507125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5LldNLhEcOCXG4+xqYVzdTnKYjNYB/98Wrp9xcTpX0s=; b=DoMFiQ0GNDPj0NdAAFzwM+pzL8FxXm54pNOFmjF2c8jDyqkSOx/6lVgKqlUIKVcY1GMjO8 Rj8WJj5O9kw4EMiPBElneo28X6Fn/ojmDbbEeT/De4M1gNsieELyF39vbzc+VaETqRA4iZ joRkDuK4hGqbWTzHBjwbNeF6wR7wSznkUXxWtWZdbwPluFcePX6q4xV1kvUlPtR3xu5Sm5 kid1Q6hcXV5nQm52sSD8CTIIDkGDhg22X2cPpBfeCS2RRwiGGvFAsweLQD4Blgli4hili1 qFIdYZR6j2xYj8/jmMMjpT7lZb+NqgbphN1kMYaChKOec50udErWOIFEcDCL2A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725507125; a=rsa-sha256; cv=none; b=tTVNHpUf+268ww1xbySIWOXG/H+lprUMQmGjAroujKpueA13DJSOGu/eAGjnyeByCpjoXG MJxHERtgRyD2H8De5J9oG35xacBFE4RWytsLE/S7bA+WKK8NlDMpa73IVv5CUHZSA4VeJv oRqTydMKy6/+pFVkCTRxeymSqUoGTGxGR/clxM00w15qHKSEH7t8+tnj2AkBOVUyZ6PeYI GCgDbIVFYVAgLytWaFjmxOyQlD6IQiX6q4mDZSBlwNuw30TVPb5oLM5+w27TnzGTk8aot2 yYsd33xFrJLYZNIQprOxSvtBbUI3BPySy1UMGoD9zV+CbzeMPGYXPMSEGBr15g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725507125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5LldNLhEcOCXG4+xqYVzdTnKYjNYB/98Wrp9xcTpX0s=; b=TuZ36tEFyULQGZL4bAVUAJxGXoOoD1Q/ZvjhY5TF6pRu6D70lWtgME7+gqlAGJQZ1Cuskc cTZ/ROxpy1iCDO37Ek0pOEtQsZ3u/Cepr9MvO6fsYSuSV4s5seDFrHyTgtLl2fPlOX00Ri Xvc6qg4tq/MitaonDjIUqpoLqpHU/f+t6iw6pFwY48vwk4U98mZ2Jhb8Sp5Xjl6794GA04 BmCqHHxC0Zi0H5Sdg5bUUD3NeS3X7/fU0hDA4NMEAV2eb1yfobyI/WEsy8gGPkATV0XNYU 6jxzrsFXUpYyinbjHftVB1jLYlj2o4cnW1AbCb3qBrqOitqrNXqvK74SK64bHw== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4WzlKK0hYpzhG7 for ; Thu, 5 Sep 2024 03:32:04 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: Date: Wed, 4 Sep 2024 22:32:03 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Privileges using security tokens through PC/SC-daemon To: freebsd-security@freebsd.org References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> Content-Language: en-US From: Kyle Evans In-Reply-To: <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 9/4/24 21:58, Kyle Evans wrote: > On 9/4/24 19:17, Jan Behrens wrote: >> On Wed, 4 Sep 2024 18:14:56 -0500 >> Kyle Evans wrote: >> >>> On 9/4/24 17:58, Jan Behrens wrote: >>>> I think I may have found the problem. If I'm right, it is an issue of >>>> pcsc-lite in combination with FreeBSD. >>>> >>>> Looking into pcsc-lite's file "src/auth.c", we find: >>>> >>>> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) >>>> ... >>>> >>>> [...] >>>> >>>> See: >>>> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 >>>> >>>> If I'm not mistaken, SO_PEERCRED is not set by the build system and it >>>> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults >>>> to simply assume that any client is always authorized. Not good. >>>> >>>> I wasn't able to get the build working, so maybe someone can check if >>>> my guess is correct. >>>> >>>> Kind regards, >>>> Jan Behrens >>>> >>> >>> Right, that'd be a problem.  Something like this might work, but I >>> haven't even build tested it: >>> >>> https://people.freebsd.org/~kevans/pcsc-auth.diff >>> >>> It could be cleaned up a little bit if it works. >>> >>> Thanks, >>> >>> Kyle Evans >>> >> >> While that would fix things for FreeBSD, I still think it's not a good >> idea to default to "always grant access" when a C macro is missing. >> This could lead to unnoticed security vulnerabilities on other >> platforms as we > > I don't have a strong opinion about this, but my > I-spent-five-minutes-looking-at-PCSC assessment would tend to agree. > >> Maybe a better approach would be to make pcscd refuse to startup >> without --disable-polkit on those plnatforms where Polkit or socket >> authentication is not available/implemented. (And also add the fixes >> for FreeBSD like you suggested, so this does not apply to FreeBSD.) >> > > I have a stronger opinion here- polkit is a build-time configuration > option, and it absolutely should not build if there's no sane > IsClientAuthorized implementation for the platform.  Failing open when > the software has lead you to believe that a policy will be doing access > control is a complete tragedy that, IMO, is probably more of an > oversight than an intentional decision. > I've posted a pull request now: https://github.com/LudovicRousseau/PCSC/pull/209 > Thanks, > > Kyle Evans >