From nobody Thu Sep 5 00:17:50 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzg1D1dsQz5W45t for ; Thu, 05 Sep 2024 00:17:52 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [167.235.225.147]) by mx1.freebsd.org (Postfix) with ESMTP id 4Wzg1C6JDLz4Gtf; Thu, 5 Sep 2024 00:17:51 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; none Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id DB5EA5F62D; Thu, 5 Sep 2024 02:17:52 +0200 (CEST) Date: Thu, 5 Sep 2024 02:17:50 +0200 From: Jan Behrens To: Kyle Evans Cc: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-Id: <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> In-Reply-To: <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:167.235.0.0/16, country:DE] X-Rspamd-Queue-Id: 4Wzg1C6JDLz4Gtf On Wed, 4 Sep 2024 18:14:56 -0500 Kyle Evans wrote: > On 9/4/24 17:58, Jan Behrens wrote: > > I think I may have found the problem. If I'm right, it is an issue of > > pcsc-lite in combination with FreeBSD. > > > > Looking into pcsc-lite's file "src/auth.c", we find: > > > > #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) > > ... > > > > [...] > > > > See: > > https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 > > > > If I'm not mistaken, SO_PEERCRED is not set by the build system and it > > is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults > > to simply assume that any client is always authorized. Not good. > > > > I wasn't able to get the build working, so maybe someone can check if > > my guess is correct. > > > > Kind regards, > > Jan Behrens > > > > Right, that'd be a problem. Something like this might work, but I > haven't even build tested it: > > https://people.freebsd.org/~kevans/pcsc-auth.diff > > It could be cleaned up a little bit if it works. > > Thanks, > > Kyle Evans > While that would fix things for FreeBSD, I still think it's not a good idea to default to "always grant access" when a C macro is missing. This could lead to unnoticed security vulnerabilities on other platforms as well. Maybe a better approach would be to make pcscd refuse to startup without --disable-polkit on those platforms where Polkit or socket authentication is not available/implemented. (And also add the fixes for FreeBSD like you suggested, so this does not apply to FreeBSD.) Regards Jan