Date: Wed, 4 Sep 2024 18:14:56 -0500 From: Kyle Evans <kevans@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-ID: <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> In-Reply-To: <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de>
index | next in thread | previous in thread | raw e-mail
On 9/4/24 17:58, Jan Behrens wrote:
> I think I may have found the problem. If I'm right, it is an issue of
> pcsc-lite in combination with FreeBSD.
>
> Looking into pcsc-lite's file "src/auth.c", we find:
>
> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED)
> ...
> #else
> unsigned IsClientAuthorized(int socket, const char* action, const char* reader)
> {
> (void)socket;
> (void)action;
> (void)reader;
>
> return 1;
> }
>
> #endif
>
> See:
> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54
>
> If I'm not mistaken, SO_PEERCRED is not set by the build system and it
> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults
> to simply assume that any client is always authorized. Not good.
>
> I wasn't able to get the build working, so maybe someone can check if
> my guess is correct.
>
> Kind regards,
> Jan Behrens
>
Right, that'd be a problem. Something like this might work, but I
haven't even build tested it:
https://people.freebsd.org/~kevans/pcsc-auth.diff
It could be cleaned up a little bit if it works.
Thanks,
Kyle Evans
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92f328f3-0f74-441a-840b-fdc3ae71fe0b>