Helo, On Aug 30, 2010, at 1:36 PM, Johannes Findeisen wrote: > On Mon, 2010-08-30 at 13:11 +0300, Martin Paljak wrote: >> On Aug 30, 2010, at 12:19 PM, Ludovic Rousseau wrote: >>> As listed on the pcsc-lite TODO file [1] I would like to run pcscd as >>> a normal user instead of root. To do this I need to:
I think it is important to pay attention to the original goal: to run pcscd as a normal user instead of root. >> For example Debian SID extra groups of the auto-created user are: >> 20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),105(scanner),111(netdev),112(bluetooth),117(powerdev). >> I don't know exactly what the extra groups are for nor do I care a lot. >> Apparently they are needed to provide a usable desktop experience to me. >> Quite many OpenCT related questions on the mailing list have been "runs as >> root, does not run as user" and the reason being missing scard group. >> >> If the administrator wants to restrict access to smart cards or readers and >> is serious about it, I'm sure he'll deploy something like SELinux as >> well/instead. > > Thats not right. The groups are for restricting access to some special > devices and some other things. I use Gentoo Linux and if I want to play > games I need to be a member of the "games" group. That is sometimes > annoying but helps to restrict stuff. Nothing personal, but "casual Linux users" (be that grandmas-and grandpas or just newcomers) don't use Gentoo with the scary "black text interface", they use Ubuntu or Mandriva or something that they know from their Linux-curious peers is "easy to handle". They don't want to restrict stuff, they want to do stuff, without (artificial) restrictions. That amounts to a fair number of Linux users. Those who consciously know what a group membership means, are a whole different (I believe also much smaller) group of users. > It is the same with devices. I for example are playing with LEGO > Mindstorms NXT and I created a "lego" group. When connecting the NXT > brick the device node becomes the group owner "lego"; Done by udev. Now > only users in the group "lego" are able to use that device. This > restriction even makes sense for smart card readers. In Debian, for > example, only users in the "dialout" group are able to dial with a > connected modem. Therefore this not must be done as root user but you > need to add users to that special group for that special functionality. See above. As long as the group is one of those that gets automagically assigned by popular desktop distros, the name (or the presence of the restriction) does not matter much. It will be needed for usability to assure the "default user" of Linux distros will have the group, though, in addition to those "dialout" and "floppy" (in 2010???) and "bluetooth" groups... > Using SELinux for that is not the "normal" or "easy" way to restrict > access to special devices. I use Linux since 12 years and I don't want > to configure SELinux on my systems. It is not very easy to understand > for normal Linux system users. Adding a user to a special group is much > more easy and enough restriction on most Linux based systems. Creating a mechanism to run pcscd as a non-root user is not the same as restricting access to pcscd (and thus devices). With the group based restriction, it can easily become a rubber stamp. For those cases where you really *need* to restrict access, there are better mechanisms than group membership. Which, of course, is also a nice feature I don't mind having. Just my two cents. -- Martin Paljak @martinpaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
