Hello Martin, On Mon, 2010-08-30 at 14:04 +0300, Martin Paljak wrote: > Helo, > On Aug 30, 2010, at 1:36 PM, Johannes Findeisen wrote: > > > On Mon, 2010-08-30 at 13:11 +0300, Martin Paljak wrote: > >> On Aug 30, 2010, at 12:19 PM, Ludovic Rousseau wrote: > >>> As listed on the pcsc-lite TODO file [1] I would like to run pcscd as > >>> a normal user instead of root. To do this I need to: > > > I think it is important to pay attention to the original goal: to run pcscd > as a normal user instead of root.
Yep, that's what I want too. But, when running pcscd as normal user, this normal user need access to the device. Ok, you could make it usable for all users. Then you are right. No need for an extra group. > >> For example Debian SID extra groups of the auto-created user are: > >> 20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),105(scanner),111(netdev),112(bluetooth),117(powerdev). > >> I don't know exactly what the extra groups are for nor do I care a lot. > >> Apparently they are needed to provide a usable desktop experience to me. > >> Quite many OpenCT related questions on the mailing list have been "runs as > >> root, does not run as user" and the reason being missing scard group. > >> > >> If the administrator wants to restrict access to smart cards or readers > >> and is serious about it, I'm sure he'll deploy something like SELinux as > >> well/instead. > > > > Thats not right. The groups are for restricting access to some special > > devices and some other things. I use Gentoo Linux and if I want to play > > games I need to be a member of the "games" group. That is sometimes > > annoying but helps to restrict stuff. > > Nothing personal, but "casual Linux users" (be that grandmas-and grandpas or > just newcomers) don't use Gentoo with the scary "black text interface", they > use Ubuntu or Mandriva or something that they know from their Linux-curious > peers is "easy to handle". > They don't want to restrict stuff, they want to do stuff, without > (artificial) restrictions. That amounts to a fair number of Linux users. > Those who consciously know what a group membership means, are a whole > different (I believe also much smaller) group of users. It has nothing to do with Gentoo but it is very straight done in there. I said that because it is very well done in Gentoo. Debian are using many groups too and many casual users are using this distribution. Gentoo has not just a "black text interface"!!! I use X and a very nice desktop. I use the console much but my desktop is very important to me. In case of hardware access it doesn't matter which distribution you use. If you want to b a little bit secure it is a very good approach to restrict access to some special group! And adding a user to a group is nothing more then setting a checkbox in the user management utilities available for every desktop (KDE, Gnome, Xfce etc.). > > It is the same with devices. I for example are playing with LEGO > > Mindstorms NXT and I created a "lego" group. When connecting the NXT > > brick the device node becomes the group owner "lego"; Done by udev. Now > > only users in the group "lego" are able to use that device. This > > restriction even makes sense for smart card readers. In Debian, for > > example, only users in the "dialout" group are able to dial with a > > connected modem. Therefore this not must be done as root user but you > > need to add users to that special group for that special functionality. > See above. As long as the group is one of those that gets automagically > assigned by popular desktop distros, the name (or the presence of the > restriction) does not matter much. It will be needed for usability to assure > the "default user" of Linux distros will have the group, though, in addition > to those "dialout" and "floppy" (in 2010???) and "bluetooth" groups... > > > > Using SELinux for that is not the "normal" or "easy" way to restrict > > access to special devices. I use Linux since 12 years and I don't want > > to configure SELinux on my systems. It is not very easy to understand > > for normal Linux system users. Adding a user to a special group is much > > more easy and enough restriction on most Linux based systems. > > Creating a mechanism to run pcscd as a non-root user is not the same as > restricting access to pcscd (and thus devices). With the group based > restriction, it can easily become a rubber stamp. For those cases where you > really *need* to restrict access, there are better mechanisms than group > membership. Which, of course, is also a nice feature I don't mind having. Which better mechanisms are you talking about? SELinux? This is very difficult to handle and using groups is definitively the most easy and efficient way to implement that. And, udev handles that without any problems when using a correctly set up rules file. Which is not the job of the users to set it up but the job of the distribution developers. So most stuff is done by the developers and just adding a user to a group isn't that hard. Since I don't make the decision about this issue, I just wanted to clarify the situation. Since Ludovic Rousseau's point 2: "2. write a udev (or whatever hotplug mechanism is used) file to set the access rights of the USB reader device when connected" is about the udev stuff and group settings I really took care of this wish and wanted to describe how I do that and how Gentoo has implemented it. Just my two cents... ;) Regards, Johannes _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
