Date: Thu, 5 Sep 2024 00:58:23 +0200 From: Jan Behrens <jbe-mlist@magnetkern.de> To: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-ID: <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> In-Reply-To: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de>
next in thread | previous in thread | raw e-mail | index | archive | help
I think I may have found the problem. If I'm right, it is an issue of
pcsc-lite in combination with FreeBSD.
Looking into pcsc-lite's file "src/auth.c", we find:
#if defined(HAVE_POLKIT) && defined(SO_PEERCRED)
...
#else
unsigned IsClientAuthorized(int socket, const char* action, const char* reader)
{
(void)socket;
(void)action;
(void)reader;
return 1;
}
#endif
See:
https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54
If I'm not mistaken, SO_PEERCRED is not set by the build system and it
is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults
to simply assume that any client is always authorized. Not good.
I wasn't able to get the build working, so maybe someone can check if
my guess is correct.
Kind regards,
Jan Behrens
On Wed, 4 Sep 2024 10:41:47 +0200
Jan Behrens <jbe-mlist@magnetkern.de> wrote:
> Hello,
>
> I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set
> "pcscd_enable" to "YES" in "/etc/rc.conf".
>
> My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected
> to it. When I create an unprivileged user account and log in from a
> remote machine (through ssh), then this unprivileged user account can
> use "ykman" to access my security key and, for example, list stored
> credentials, generate one-time tokens, erase or temporariliy block the
> device (by providing a wrong PIN), or even effectively brick it (if no
> configuration password is set).
>
> As far as I understand, polkit should prohibit this. pcsc-lite installs
> a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy"
> with the following contents:
>
> ------------
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE policyconfig PUBLIC
> "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
> "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">;
> <policyconfig>
> <vendor>The PCSC-lite Project</vendor>
> <vendor_url>https://pcsclite.apdu.fr/</vendor_url>;
> <!-- <icon_name>smart-card</icon_name> -->
>
> <action id="org.debian.pcsc-lite.access_pcsc">
> <description>Access to the PC/SC daemon</description>
> <message>Authentication is required to access the PC/SC daemon</message>
> <defaults>
> <allow_any>no</allow_any>
> <allow_inactive>no</allow_inactive>
> <allow_active>yes</allow_active>
> </defaults>
> </action>
>
> <action id="org.debian.pcsc-lite.access_card">
> <description>Access to the smart card</description>
> <message>Authentication is required to access the smart card</message>
> <defaults>
> <allow_any>no</allow_any>
> <allow_inactive>no</allow_inactive>
> <allow_active>yes</allow_active>
> </defaults>
> </action>
>
> </policyconfig>
> ------------
>
> Changing "allow_active" from "yes" to "no" and restarting "pcscd" has
> no impact either.
>
> I don't understand what is going on, but this behavior doesn't seem to
> be correct. A non-privileged user (that isn't even member of group
> "u2f") should not gain access to a security token plugged into the
> machine.
>
> Is this behavior reproducible by others, or maybe just a configuration
> mistake by me?
>
> I previously mentioned this issue here:
> https://forums.FreeBSD.org/threads/94605/post-670209
>
> Kind Regards,
> Jan Behrens
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240905005823.3f7aa990a66c5f40d4eb4a8b>