You have been subscribed to a public bug:
On Ubuntu 14.04 the Apparmor profile for guest account restricts access
to /run/pcscd/pcscd.comm
PCSC-Lite provides /run/pcscd/pcscd.comm UNIX domain socket that
libpcsclite clients use to talk to the server that manages smartcards.
Background information: Estonia has issued over million smartcards to
it's citizens which allow authenticating online and digitally signing
documents.
Usecases that are broken with current situation:
1. Giving laptop to a friend/buddy/mother/sister to make a bank transfer online
with guest account
2. Using Estonian ID-card software to sign and encrypt documents using guest
account
3. Deploying Ubuntu 14.04 on internet kiosks which should have ability to
access e-government services
Security implications:
Enabling access to the UNIX domain socket should not have much implications
since to actually use the card it would need to be unlocked using PIN code and
that is handled in higher level of the software stack (OpenSC). As guest
account requires physical presence it doesn't make any difference if malicious
person already knows the PIN. He could just aswell plug the card into his own
machine to take advantage of the situation.
As a temporary fix I appended "/run/pcscd/pcscd.comm rw," to
/etc/apparmor.d/lightdm-guest-session
However I believe modifying upstream policy could blow up in my face at some
point in time and as discussed on #ubuntu-hardened currently it is not possible
to customize guest session policy via /etc/apparmor.d/local:
18:57 < lauri> As I said I don't want to overwrite upstream file. I need to
complement it, is it possible?
18:58 < mdeslaur> lauri: unfortunately not as-is, as the lightdm profile
doesn't include the local directory
** Affects: lightdm (Ubuntu)
Importance: Undecided
Status: New
--
lightdm-guest-session restricts access to /run/pcscd/pcscd.comm
https://bugs.launchpad.net/bugs/1329923
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
