Date: Wed, 4 Sep 2024 10:41:47 +0200 From: Jan Behrens <jbe-mlist@magnetkern.de> To: freebsd-security@freebsd.org Subject: Privileges using security tokens through PC/SC-daemon Message-ID: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de>
next in thread | raw e-mail | index | archive | help
Hello, I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set "pcscd_enable" to "YES" in "/etc/rc.conf". My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected to it. When I create an unprivileged user account and log in from a remote machine (through ssh), then this unprivileged user account can use "ykman" to access my security key and, for example, list stored credentials, generate one-time tokens, erase or temporariliy block the device (by providing a wrong PIN), or even effectively brick it (if no configuration password is set). As far as I understand, polkit should prohibit this. pcsc-lite installs a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" with the following contents: ------------ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">; <policyconfig> <vendor>The PCSC-lite Project</vendor> <vendor_url>https://pcsclite.apdu.fr/</vendor_url>; <!-- <icon_name>smart-card</icon_name> --> <action id="org.debian.pcsc-lite.access_pcsc"> <description>Access to the PC/SC daemon</description> <message>Authentication is required to access the PC/SC daemon</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> </action> <action id="org.debian.pcsc-lite.access_card"> <description>Access to the smart card</description> <message>Authentication is required to access the smart card</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> </action> </policyconfig> ------------ Changing "allow_active" from "yes" to "no" and restarting "pcscd" has no impact either. I don't understand what is going on, but this behavior doesn't seem to be correct. A non-privileged user (that isn't even member of group "u2f") should not gain access to a security token plugged into the machine. Is this behavior reproducible by others, or maybe just a configuration mistake by me? I previously mentioned this issue here: https://forums.FreeBSD.org/threads/94605/post-670209 Kind Regards, Jan Behrens
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240904104147.8c1e74632b2c6d4f6a759ee6>