On 17/10/06, Shawn Willden <[EMAIL PROTECTED]> wrote:
I was going for a solution to a little more general problem than you're looking at, though. You might be able to accomplish what you need just by changing permissions on the pcscd socket. You'll need to restart pcscd when the user logs in, in order to ensure that any old connections to pcscd are torn down. And you might want to think about how to ensure that an attacker can't get a connection between the time you start pcscd and the time you change the ownership/permision of the socket. Maybe you should make sure that pcscd runs as the console user and that it creates the socket file with appropriately restricted access.
You need to start pcscd as root so that it can create files in /var/run/, the reader drivers need to start as root so that they can access the devices in /dev/. But it would be possible to add a --uid 1234 argument to pcscd so that the /var/run/pcscd.* files are only accessible for that uid (and root). It should then be possible to start (or restart) pcscd from PAM during the user login. Bye, -- Dr. Ludovic Rousseau _______________________________________________ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
