Re: [Muscle] Re: [opensc-devel] Defining default paths for chipcard drivers
On Wednesday 02 May 2007 00:27:42 Michael Bender wrote: How does this access control mechanism work? openct uses a status file and sockets, both placed in /var/run/openct/ only those with 0700 - only root can access it. 0750 - those in the group can use openct too, 0755 - everyone can use it. Andreas ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
Re: [Muscle] Re: [opensc-devel] Defining default paths for chipcard drivers
On Wednesday 02 May 2007 06:17:29 Martin Preuss wrote: On Wednesday 02 May 2007 00:27, Michael Bender wrote: Andreas Jellinghaus wrote: On Tuesday 01 May 2007 21:14:26 Martin Preuss wrote: For CTAPI drivers there is also another problem that should be addressed in the next step: I think it would be best to have a system group/user chipcard (or whatever name is feasible) analogous to the groups disk, audio etc. FYI: debian and ubuntu have scard for smart card access. currently used to limit access to openct. How does this access control mechanism work? [...] My guess would be: By setting the group and permission of the unix domain socket of the daemon or ifdhandler? IIRC some unix variants don't check permissions on socket files or something like that. so we put the permissions on the directory, which works on all unix systems. and that way openct doesn't need to know which permissions to use to create the sockets, which simplifies the code. Regards, Andreas ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
[Muscle] Re: [opensc-devel] Defining default paths for chipcard drivers
Hi, On Tuesday 01 May 2007 18:29, Hanno Böck wrote: [...] Now, already some technical thoughts: - We have, as far as I know, two kinds of chipcard-related driver types: pcsc drivers and ctapi. - At the moment, I can't see a reason why we shouldn't make it so simple to just say put all chipcard device drivers into one dir, let's say /usr/lib/readers/. [...] At least that's what SuSE is doing... For CTAPI drivers there is also another problem that should be addressed in the next step: I think it would be best to have a system group/user chipcard (or whatever name is feasible) analogous to the groups disk, audio etc. That's because applications using CTAPI drivers need some privileges to access a device which a user normally does not have. On some systems access to USB devices is generally granted to any user who is logged in, but I think a finer granularity is needed. Basically this seems something to be discussed with those who are responsible for the various distributions (as might be the question about where to store drivers). Regards Martin -- Things are only impossible until they're not AqBanking - http://www.aqbanking.de/ LibChipcard - http://www.libchipcard.de/ ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
Re: [Muscle] Re: [opensc-devel] Defining default paths for chipcard drivers
On Tuesday 01 May 2007 21:14:26 Martin Preuss wrote: For CTAPI drivers there is also another problem that should be addressed in the next step: I think it would be best to have a system group/user chipcard (or whatever name is feasible) analogous to the groups disk, audio etc. FYI: debian and ubuntu have scard for smart card access. currently used to limit access to openct. Andreas ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
Re: [Muscle] Re: [opensc-devel] Defining default paths for chipcard drivers
Andreas Jellinghaus wrote: On Tuesday 01 May 2007 21:14:26 Martin Preuss wrote: For CTAPI drivers there is also another problem that should be addressed in the next step: I think it would be best to have a system group/user chipcard (or whatever name is feasible) analogous to the groups disk, audio etc. FYI: debian and ubuntu have scard for smart card access. currently used to limit access to openct. How does this access control mechanism work? mike ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
Re: [Muscle] Re: [opensc-devel] Defining default paths for chipcard drivers
On Wednesday 02 May 2007 00:27, Michael Bender wrote: Andreas Jellinghaus wrote: On Tuesday 01 May 2007 21:14:26 Martin Preuss wrote: For CTAPI drivers there is also another problem that should be addressed in the next step: I think it would be best to have a system group/user chipcard (or whatever name is feasible) analogous to the groups disk, audio etc. FYI: debian and ubuntu have scard for smart card access. currently used to limit access to openct. How does this access control mechanism work? [...] My guess would be: By setting the group and permission of the unix domain socket of the daemon or ifdhandler? Regards Martin -- Things are only impossible until they're not AqBanking - http://www.aqbanking.de/ LibChipcard - http://www.libchipcard.de/ ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle