Andreas Jellinghaus wrote: > Am Mittwoch 28 Januar 2009 18:06:33 schrieb Alon Bar-Lev: > > On 1/28/09, Andreas Jellinghaus <a...@dungeon.inka.de> wrote: > > > > - Define policy for ACL (see freedesktop Bugzilla) > > > > > > root,root 0600 is fine with me. distributions could create some system > > > account, and use that system account for such usb devices and run pcscd > > > and openct under these accounts (if that works, not 100% sure here - > > > never tried). > > > > No. > > Should allow a group to access, such as root:usb 0660. > > This way you can add the openctd user (the user under which ifdhandler > > runs) to this group. > > someone has a group "usb"? ouch. I don't like this proposal. > > people might think "lets add a user to that group, like we do with audio > and video, so people can use usb devices". if then this would be implemented > like alon suggested, a user can access a device, that is required for login > authentication (if you configured smart card authentication). bad idea, at > minimum this could be a denial of service attack. not sure if claiming an > interface via usb control prevents every other process to see what you send > to and receive from that device, but I hope it does.
At least in openSUSE (and probably all other distros using HAL +PolicyKit), default handling of devices is "deny everything". Additional permissions are assigned: - To groups, if group concept is sufficient. In case of Smart Cards, it might be GID writability for "scard" group, allowing to run smart card daemon without root privileges. - Using ACL to locally logged users. It was discussed last week as the controversial direct access to selected readers, if selected applications are installed. > My recommendation stands: either run that software as root, or use a special > user for these access rights. (is there a special reason not to have some user > as the owner of the dynamically created device nodes? if so, a special group > with one user only could help, but it should not have a generic name. and I > don't know of any such reason) Yes. If the device will be identified as Smart Card device, GID write permission and ACL will be set by HAL+PolicyKit automatically. Smart card daemons don't need to care about it. > btw: many distributions have a group "scard" that regulates access to smart > card reader middleware (pcscd and openct). (well, ok, debian and ubuntu have > that group, not 100% sure about other distributions). openSUSE used "daemon" up to now. Security team recommended a dedicated group, so I will create "scard" as well and set policy accordingly. -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbra...@suse.cz Lihovarská 1060/12 tel: +420 284 028 966, +49 911 740538747 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
