Date: Wed, 4 Sep 2024 21:58:23 -0500 From: Kyle Evans <kevans@FreeBSD.org> To: Jan Behrens <jbe-mlist@magnetkern.de> Cc: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-ID: <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> In-Reply-To: <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> <20240905021750.6716898b6d52e08b0287940b@magnetkern.de>
index | next in thread | previous in thread | raw e-mail
On 9/4/24 19:17, Jan Behrens wrote: > On Wed, 4 Sep 2024 18:14:56 -0500 > Kyle Evans <kevans@FreeBSD.org> wrote: > >> On 9/4/24 17:58, Jan Behrens wrote: >>> I think I may have found the problem. If I'm right, it is an issue of >>> pcsc-lite in combination with FreeBSD. >>> >>> Looking into pcsc-lite's file "src/auth.c", we find: >>> >>> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) >>> ... >>> >>> [...] >>> >>> See: >>> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 >>> >>> If I'm not mistaken, SO_PEERCRED is not set by the build system and it >>> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults >>> to simply assume that any client is always authorized. Not good. >>> >>> I wasn't able to get the build working, so maybe someone can check if >>> my guess is correct. >>> >>> Kind regards, >>> Jan Behrens >>> >> >> Right, that'd be a problem. Something like this might work, but I >> haven't even build tested it: >> >> https://people.freebsd.org/~kevans/pcsc-auth.diff >> >> It could be cleaned up a little bit if it works. >> >> Thanks, >> >> Kyle Evans >> > > While that would fix things for FreeBSD, I still think it's not a good > idea to default to "always grant access" when a C macro is missing. > This could lead to unnoticed security vulnerabilities on other > platforms as we I don't have a strong opinion about this, but my I-spent-five-minutes-looking-at-PCSC assessment would tend to agree. > Maybe a better approach would be to make pcscd refuse to startup > without --disable-polkit on those plnatforms where Polkit or socket > authentication is not available/implemented. (And also add the fixes > for FreeBSD like you suggested, so this does not apply to FreeBSD.) > I have a stronger opinion here- polkit is a build-time configuration option, and it absolutely should not build if there's no sane IsClientAuthorized implementation for the platform. Failing open when the software has lead you to believe that a policy will be doing access control is a complete tragedy that, IMO, is probably more of an oversight than an intentional decision. Thanks, Kyle Evanshome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5e49667e-daf5-4c37-bc59-83ad8806c945>