Date: Wed, 4 Sep 2024 22:32:03 -0500 From: Kyle Evans <kevans@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-ID: <eda5bf90-4ff4-44f7-9579-7c9b5a0f5aa2@FreeBSD.org> In-Reply-To: <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/4/24 21:58, Kyle Evans wrote: > On 9/4/24 19:17, Jan Behrens wrote: >> On Wed, 4 Sep 2024 18:14:56 -0500 >> Kyle Evans <kevans@FreeBSD.org> wrote: >> >>> On 9/4/24 17:58, Jan Behrens wrote: >>>> I think I may have found the problem. If I'm right, it is an issue of >>>> pcsc-lite in combination with FreeBSD. >>>> >>>> Looking into pcsc-lite's file "src/auth.c", we find: >>>> >>>> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) >>>> ... >>>> >>>> [...] >>>> >>>> See: >>>> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 >>>> >>>> If I'm not mistaken, SO_PEERCRED is not set by the build system and it >>>> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults >>>> to simply assume that any client is always authorized. Not good. >>>> >>>> I wasn't able to get the build working, so maybe someone can check if >>>> my guess is correct. >>>> >>>> Kind regards, >>>> Jan Behrens >>>> >>> >>> Right, that'd be a problem. Something like this might work, but I >>> haven't even build tested it: >>> >>> https://people.freebsd.org/~kevans/pcsc-auth.diff >>> >>> It could be cleaned up a little bit if it works. >>> >>> Thanks, >>> >>> Kyle Evans >>> >> >> While that would fix things for FreeBSD, I still think it's not a good >> idea to default to "always grant access" when a C macro is missing. >> This could lead to unnoticed security vulnerabilities on other >> platforms as we > > I don't have a strong opinion about this, but my > I-spent-five-minutes-looking-at-PCSC assessment would tend to agree. > >> Maybe a better approach would be to make pcscd refuse to startup >> without --disable-polkit on those plnatforms where Polkit or socket >> authentication is not available/implemented. (And also add the fixes >> for FreeBSD like you suggested, so this does not apply to FreeBSD.) >> > > I have a stronger opinion here- polkit is a build-time configuration > option, and it absolutely should not build if there's no sane > IsClientAuthorized implementation for the platform. Failing open when > the software has lead you to believe that a policy will be doing access > control is a complete tragedy that, IMO, is probably more of an > oversight than an intentional decision. > I've posted a pull request now: https://github.com/LudovicRousseau/PCSC/pull/209 > Thanks, > > Kyle Evans >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eda5bf90-4ff4-44f7-9579-7c9b5a0f5aa2>