Re: [opensc-devel] HAL proposal for smart cards (clarification)
Andreas Jellinghaus wrote: > Am Mittwoch 28 Januar 2009 19:02:39 schrieb Stanislav Brabec: > > In case of Smart Cards, it might be GID writability for "scard" group, > > allowing to run smart card daemon without root privileges. > > if pcscd or openct should run as non-root, then there should be: > * one way how openct/pcscd can access the serial and usb devices >(please document what users with serial smart card readers need to do) This might work: smart_card_reader (Depending on system configuration, removing of "modem" capability would be useful.) * one way how users allowed to access the readers can connect to openct/pcscd Socket GID writeable for scard. By default, no users are in scard group. Then use e. g.: polkit-auth --constraint local /var/run/openct or something similar > I think these two things should be kept seperated, and "scard" is already > used > for the later case. "scard" UID may be used for daemon access, "scard" GID may be used as a static alternative for these sysadmins, that don't want to use PolicyKit. Static style (rough draft): chown -R scard:scard /var/run/openct chmod -R 770 /var/run/openct chmod -R 770 /dev/path_to_the_reader Run daemon as scard user. Add selected users to groups scard. => Only users in group scard can access the reader. Dynamic way with HAL+PolicyKit (rough draft): - set PolicyKit according to http://bugs.freedesktop.org/show_bug.cgi?id=19663 chown -R scard:scard /var/run/openct chmod -R 770 /var/run/openct polkit-auth --constraint local /var/run/openct (/dev/path_to_the_reader is handled by PolicyKit automatically) Run daemon as scard user. Don't add anybody to groups scard. => Only users logged localy can access the reader (it can be changed in PolicyKit settings). -- Best Regards / S pozdravem, Stanislav Brabec software developer - SUSE LINUX, s. r. o. e-mail: sbra...@suse.cz Lihovarská 1060/12 tel: +420 284 028 966, +49 911 740538747 190 00 Praha 9 fax: +420 284 028 951 Czech Republichttp://www.suse.cz/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] HAL proposal for smart cards (clarification)
Andreas Jellinghaus wrote: > Am Mittwoch 28 Januar 2009 19:30:52 schrieb Stanislav Brabec: > > How to name the main category "smart_card_reader or crypto_token"? > > I think it is easer to explain, that a usb crypto token is a device consisting > of a reduced smart card reader and a fixed build in smart card. I guess > this is quite close to the truth. the other way would be more like the pkcs#11 > document (they talk about tokens all the time, but cover software > implementations too), and harder to explain I think. OK. Considering consensus on "info.category: smart_card_reader", I will appropriately correct the patch in http://bugs.freedesktop.org/show_bug.cgi?id=19663 Nothing more is actually needed for PolicyKit. > > 2) Use "smart_card_reader" and invent a different name for "the one with > >slot for cards". > > maybe something like "slots:1" , "slots:2", "slots:fixed"? smart_card_reader.num_stots. But I guess that we can live without this key, as separate key would be more flexible. To discriminate between these two types of devices, capabilities line "smart_token" and "smart_card_slots" would be sufficient. > or use the card size format here? (e.g. "slots:id0,wireless" ?) > not 100% sure No. It is not scalable. Once in future, your would want to assign another key to slot, and it would be impossible (or it would introduce ugly parsing problems). It would be better to postpone these keys to possible future separate HAL record for slot. -- Best Regards / S pozdravem, Stanislav Brabec software developer - SUSE LINUX, s. r. o. e-mail: sbra...@suse.cz Lihovarská 1060/12 tel: +420 284 028 966, +49 911 740538747 190 00 Praha 9 fax: +420 284 028 951 Czech Republichttp://www.suse.cz/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] group scard, Firefox
Am Freitag 30 Januar 2009 11:30:23 schrieb Johannes Becker: > the device for my USB reader has owner 'root' and group 'scard'. > I can use the reader without being in group 'scard'. > How can I restrict the usage of the reader to users in group 'scard' ? > > The dilemma arises with Linux machines where you want to restrict > the card reader to the one locally at the computer and you don't want > those logged in remotely to interfere with the chipcard. for openct see the openct documentation on this topic. but I guess it applies to pcscd as well? * put users into scard so they can access the smart card reader * or change the sockets (e.g. in /var/run/openct/ or /var/run/pcscd/ (not sure about the later path)) to have a better permission. make sure the directory is open for everyone as well. * to limit access to local users, edit the pam config, so local users are put into group smart card, but users from remove are not. the last one is not very secure: * login locally cp /bin/bash my_scard_bash chgrp scard my_scard_bash chmod +2700 my_scard_bash * login remote ./my_scard_bash should work -> you create a private bash that gives you scard group rights. an advanced solution uses ACLs and policykit for a similar, but more secure trick. see recent discussions on this mailing list. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] group scard, Firefox
2009/1/30 Johannes Becker :
> Hello,
Hello,
> the device for my USB reader has owner 'root' and group 'scard'.
> I can use the reader without being in group 'scard'.
> How can I restrict the usage of the reader to users in group 'scard' ?
>
> The dilemma arises with Linux machines where you want to restrict
> the card reader to the one locally at the computer and you don't want
> those logged in remotely to interfere with the chipcard.
You can set permissions on the files /var/run/pcscd/pcscd.{comm,pub} for that.
Or just permanently restrict access to the /var/run/pcscd directory.
The directory should not be deleted/recreated on reboot (on Debian and
derivatives).
bye
--
Dr. Ludovic Rousseau
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Debian lenny: unplugging the chipcard reader
2009/1/30 Johannes Becker : > Hello, Hello, > using Debian lenny at the moment the card reader has to be > plugged in to the USB port while the PC boots. > If you plug it in later or if you unplug and plug again, the reader doesn't > work. I noticed this only recently. It was ok before. > > # uname -a > Linux be 2.6.26-1-686 #1 SMP Sat Jan 10 18:29:31 UTC 2009 i686 GNU/Linux > > pcscd Version: 1.4.102-1 > libccid Version: 1.3.8-1 > opensc Version: 0.11.4-5 You do not give the name of your smart card reader. Please follow the procedure described at [1] when reporting a problem with my CCID driver. Bye [1] http://pcsclite.alioth.debian.org/ccid.html#support -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] group scard, Firefox
Hello, the device for my USB reader has owner 'root' and group 'scard'. I can use the reader without being in group 'scard'. How can I restrict the usage of the reader to users in group 'scard' ? The dilemma arises with Linux machines where you want to restrict the card reader to the one locally at the computer and you don't want those logged in remotely to interfere with the chipcard. -- Grüße Johannes ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Debian lenny: unplugging the chipcard reader
Hello, using Debian lenny at the moment the card reader has to be plugged in to the USB port while the PC boots. If you plug it in later or if you unplug and plug again, the reader doesn't work. I noticed this only recently. It was ok before. # uname -a Linux be 2.6.26-1-686 #1 SMP Sat Jan 10 18:29:31 UTC 2009 i686 GNU/Linux pcscd Version: 1.4.102-1 libccid Version: 1.3.8-1 opensc Version: 0.11.4-5 -- Grüße Johannes ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Fix for O2 Micro CCID SC Reader
Hello, 2009/1/29 Andrey Jivsov : > I am attaching the tested patch to the file ifd-ccid.c to add support for > the reader. The reader's USB IDs that I tested with are 0b97:7762 and > 0b97:7772. Without this patch the ifd-ccid.c code will not work with these > readers. Why do you use OpenCT instead of pcsc-lite + my CCID driver? Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
