Am Freitag 30 Januar 2009 11:30:23 schrieb Johannes Becker: > the device for my USB reader has owner 'root' and group 'scard'. > I can use the reader without being in group 'scard'. > How can I restrict the usage of the reader to users in group 'scard' ? > > The dilemma arises with Linux machines where you want to restrict > the card reader to the one locally at the computer and you don't want > those logged in remotely to interfere with the chipcard.
for openct see the openct documentation on this topic. but I guess it applies to pcscd as well? * put users into scard so they can access the smart card reader * or change the sockets (e.g. in /var/run/openct/ or /var/run/pcscd/ (not sure about the later path)) to have a better permission. make sure the directory is open for everyone as well. * to limit access to local users, edit the pam config, so local users are put into group smart card, but users from remove are not. the last one is not very secure: * login locally cp /bin/bash my_scard_bash chgrp scard my_scard_bash chmod +2700 my_scard_bash * login remote ./my_scard_bash should work -> you create a private bash that gives you scard group rights. an advanced solution uses ACLs and policykit for a similar, but more secure trick. see recent discussions on this mailing list. Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
