From nobody Thu Sep 5 02:58:23 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzkZT47Xzz5Td7x for ; Thu, 05 Sep 2024 02:58:25 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzkZT37h6z4ln6; Thu, 5 Sep 2024 02:58:25 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725505105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kS8k14oi0z8dxa3iAlFl59ZA39eDHl1vePCUjyFHIa8=; b=joK48dTSCN0whCFyGcrmTcb7xdLSQe318Hi6z9qC9saaU9x/3r/sL8DsclN836xysPJtU/ 2OSYoS5Kxe7P9AbjPuGsUmEafYcqkZvZc0T68O2supkFft6JssqONm+dK3mGJ3ahZtHS84 Eakd5fYupYBNYSvyNw3kGS0+grilGgK7ONEkMpilP3I36m4kOFHRxg1r2qzCvDpy1soqUe dwawAI5sZKzGknGQDpQxHt0DAWSmtHxKzQ/VEeMuw+QHApqL7he868CYldzZeSzUaLP4j1 gNp6oqIxNFkEj+vMTjcAfUisOVEkPT5lFn/RjOcbJteUZvuvj0RYj1yqAiAlFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725505105; a=rsa-sha256; cv=none; b=WPxPbG0NmnVTJYSERGdLGyfpqmOPUnnqHXic3RXr7CQzN65nWnh0R3McdghaQ1GY2TjXBY xqkTonnXzkvxTcY6dImOeyQlmao0OiIXTBAx0D9lQpU4UEFNpVAFUBB8xAgrY2weiDFRy1 IvHDfCjPOoLBbNZAT/28BoXSKAhsCEuMPJNwLVarq6+wkuZxLgfz7j6ugFaVwo1JUGdCQu QzRsTrGfjvngN1ISgRNbuRSRVF6QFwR1ku5Yz+lzXrRsIFNrcU3BUKkL1Hp4VAdieyOB/j DtKB9K05xnxmCb3MTi4IVcNrNvFBsEQR0yDr2/dFa9k8kz+WtPWl1nPKDKu9UA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725505105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kS8k14oi0z8dxa3iAlFl59ZA39eDHl1vePCUjyFHIa8=; b=uIqVEfd+RpKDqr/hsaIjv6FnIHO0CxqgJfFfFOBFawx7SucLDXHFbSvWkX2vxOqxOoyrl+ zsf+jC+uA8K7h0juy0/1PLjtaj8l1i2OZ6LXxtm3W6ZhDA2W2mv6UZEmapzqpryJBwpu7Z x1rHLwunqwjM5sI//tmIhu3ugbylsNn+83lFV7NC0su9lGHbuv0oeaWaBIW68nZ2GQHKDN ZHF73ye1Sx66oJBqbKB9S95ysfy3NJttK1oZWByiXJQcQlLFDiMBDiLWWEYXMo+PyC5UXN dAnB9Lo+tCq/Vk8TeTQUCJn4f5s8LkgGJckEPXtc3zqjjSoIlcDp2DgDkdrOKw== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4WzkZT0xd3zgT1; Thu, 5 Sep 2024 02:58:25 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> Date: Wed, 4 Sep 2024 21:58:23 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Privileges using security tokens through PC/SC-daemon To: Jan Behrens Cc: freebsd-security@freebsd.org References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> Content-Language: en-US From: Kyle Evans In-Reply-To: <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 9/4/24 19:17, Jan Behrens wrote: > On Wed, 4 Sep 2024 18:14:56 -0500 > Kyle Evans wrote: > >> On 9/4/24 17:58, Jan Behrens wrote: >>> I think I may have found the problem. If I'm right, it is an issue of >>> pcsc-lite in combination with FreeBSD. >>> >>> Looking into pcsc-lite's file "src/auth.c", we find: >>> >>> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) >>> ... >>> >>> [...] >>> >>> See: >>> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 >>> >>> If I'm not mistaken, SO_PEERCRED is not set by the build system and it >>> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults >>> to simply assume that any client is always authorized. Not good. >>> >>> I wasn't able to get the build working, so maybe someone can check if >>> my guess is correct. >>> >>> Kind regards, >>> Jan Behrens >>> >> >> Right, that'd be a problem. Something like this might work, but I >> haven't even build tested it: >> >> https://people.freebsd.org/~kevans/pcsc-auth.diff >> >> It could be cleaned up a little bit if it works. >> >> Thanks, >> >> Kyle Evans >> > > While that would fix things for FreeBSD, I still think it's not a good > idea to default to "always grant access" when a C macro is missing. > This could lead to unnoticed security vulnerabilities on other > platforms as we I don't have a strong opinion about this, but my I-spent-five-minutes-looking-at-PCSC assessment would tend to agree. > Maybe a better approach would be to make pcscd refuse to startup > without --disable-polkit on those plnatforms where Polkit or socket > authentication is not available/implemented. (And also add the fixes > for FreeBSD like you suggested, so this does not apply to FreeBSD.) > I have a stronger opinion here- polkit is a build-time configuration option, and it absolutely should not build if there's no sane IsClientAuthorized implementation for the platform. Failing open when the software has lead you to believe that a policy will be doing access control is a complete tragedy that, IMO, is probably more of an oversight than an intentional decision. Thanks, Kyle Evans