Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Sep 2024 02:17:50 +0200
From:      Jan Behrens <jbe-mlist@magnetkern.de>
To:        Kyle Evans <kevans@FreeBSD.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Privileges using security tokens through PC/SC-daemon
Message-ID:  <20240905021750.6716898b6d52e08b0287940b@magnetkern.de>
In-Reply-To: <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org>
References:  <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 4 Sep 2024 18:14:56 -0500
Kyle Evans <kevans@FreeBSD.org> wrote:

> On 9/4/24 17:58, Jan Behrens wrote:
> > I think I may have found the problem. If I'm right, it is an issue of
> > pcsc-lite in combination with FreeBSD.
> > 
> > Looking into pcsc-lite's file "src/auth.c", we find:
> > 
> > #if defined(HAVE_POLKIT) && defined(SO_PEERCRED)
> > ...
> > 
> > [...]
> > 
> > See:
> > https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54
> > 
> > If I'm not mistaken, SO_PEERCRED is not set by the build system and it
> > is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults
> > to simply assume that any client is always authorized. Not good.
> > 
> > I wasn't able to get the build working, so maybe someone can check if
> > my guess is correct.
> > 
> > Kind regards,
> > Jan Behrens
> > 
> 
> Right, that'd be a problem.  Something like this might work, but I 
> haven't even build tested it:
> 
> https://people.freebsd.org/~kevans/pcsc-auth.diff
> 
> It could be cleaned up a little bit if it works.
> 
> Thanks,
> 
> Kyle Evans
> 

While that would fix things for FreeBSD, I still think it's not a good
idea to default to "always grant access" when a C macro is missing.
This could lead to unnoticed security vulnerabilities on other
platforms as well.

Maybe a better approach would be to make pcscd refuse to startup
without --disable-polkit on those platforms where Polkit or socket
authentication is not available/implemented. (And also add the fixes
for FreeBSD like you suggested, so this does not apply to FreeBSD.)

Regards
Jan

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240905021750.6716898b6d52e08b0287940b>