From nobody Wed Sep 4 08:41:47 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzGFJ4c7fz5TRDF for ; Wed, 04 Sep 2024 08:41:56 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [IPv6:2a01:4f8:c012:f130::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4WzGFH44WDz4Rth for ; Wed, 4 Sep 2024 08:41:55 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of jbe-mlist@magnetkern.de designates 2a01:4f8:c012:f130::1 as permitted sender) smtp.mailfrom=jbe-mlist@magnetkern.de Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id 351605F0E6 for ; Wed, 4 Sep 2024 10:41:50 +0200 (CEST) Date: Wed, 4 Sep 2024 10:41:47 +0200 From: Jan Behrens To: freebsd-security@freebsd.org Subject: Privileges using security tokens through PC/SC-daemon Message-Id: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.54 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.94)[-0.938]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_NO_TLS_LAST(0.10)[]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[magnetkern.de]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4WzGFH44WDz4Rth Hello, I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set "pcscd_enable" to "YES" in "/etc/rc.conf". My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected to it. When I create an unprivileged user account and log in from a remote machine (through ssh), then this unprivileged user account can use "ykman" to access my security key and, for example, list stored credentials, generate one-time tokens, erase or temporariliy block the device (by providing a wrong PIN), or even effectively brick it (if no configuration password is set). As far as I understand, polkit should prohibit this. pcsc-lite installs a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" with the following contents: ------------ The PCSC-lite Project https://pcsclite.apdu.fr/ Access to the PC/SC daemon Authentication is required to access the PC/SC daemon no no yes Access to the smart card Authentication is required to access the smart card no no yes ------------ Changing "allow_active" from "yes" to "no" and restarting "pcscd" has no impact either. I don't understand what is going on, but this behavior doesn't seem to be correct. A non-privileged user (that isn't even member of group "u2f") should not gain access to a security token plugged into the machine. Is this behavior reproducible by others, or maybe just a configuration mistake by me? I previously mentioned this issue here: https://forums.FreeBSD.org/threads/94605/post-670209 Kind Regards, Jan Behrens