Bug#1061444: pcscd: GDM user is NOT authorized for action: access_pcsc
Hello,
Le 24/01/2024 à 22:07, Ludovic Rousseau a écrit :
Le 24/01/2024 à 19:43, Ludovic Rousseau a écrit :
Le 24/01/2024 à 18:09, Laurent Bigonville a écrit :
Package: pcscd
Version: 2.0.1-1
Severity: normal
X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org
Hello,
When looking at the logs of pcscd, I see the following messages:
jan 22 09:47:37 edoras pcscd[1663]: auth.c:125:IsClientAuthorized()
Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed:
Process not found
jan 22 09:47:37 edoras pcscd[1663]: 0031 auth.c:143:IsClientAuthorized()
Process 1565 (user: 115) is NOT authorized for action: access_pcsc
It seems that GDM is not allowed to talk to pcscd.
GDM has the functionality to detect whether there is a smartcard in the
reader and then use the gdm-smartcard PAM service instead of the
gdm-password one to perform login.
I guess that GDM should be whitelisted to allow it to use pcscd?
Exact.
Good point.
You can add polkit config file until I fix the issue.
https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/
The fix is quite easy.
Create a new file /etc/polkit-1/rules.d/03-polkit-pcscd.rules containing:
polkit.addRule(function(action, subject) {
if ((action.id == "org.debian.pcsc-lite.access_pcsc"
|| action.id == "org.debian.pcsc-lite.access_card")
&& subject.user == "Debian-gdm") {
return polkit.Result.YES;
}
});
What I don't know is if this new file should be provided by the pcscd package
or by the gdm3 package.
I would say gdm3 but I am not sure.
I started a discussion on the pcsclite-muscle list at
https://lists.infradead.org/pipermail/pcsclite-muscle/2024-January/001457.html
The problem is also present on Fedora 39.
It is surprising because Fedora has enabled polkit in pcsc-lite since a long
time (2014?)
I opened a ticket at gdm upstream
https://gitlab.gnome.org/GNOME/gdm/-/issues/904
I think the fix should be provided by gdm itself.
So I reassign this ticket to the Debian gdm package.
Bye
--
Dr. Ludovic Rousseau
Bug#1061444: pcscd: GDM user is NOT authorized for action: access_pcsc
Le 24/01/2024 à 19:43, Ludovic Rousseau a écrit :
Le 24/01/2024 à 18:09, Laurent Bigonville a écrit :
Package: pcscd
Version: 2.0.1-1
Severity: normal
X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org
Hello,
When looking at the logs of pcscd, I see the following messages:
jan 22 09:47:37 edoras pcscd[1663]: auth.c:125:IsClientAuthorized()
Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed:
Process not found
jan 22 09:47:37 edoras pcscd[1663]: 0031 auth.c:143:IsClientAuthorized()
Process 1565 (user: 115) is NOT authorized for action: access_pcsc
It seems that GDM is not allowed to talk to pcscd.
GDM has the functionality to detect whether there is a smartcard in the
reader and then use the gdm-smartcard PAM service instead of the
gdm-password one to perform login.
I guess that GDM should be whitelisted to allow it to use pcscd?
Exact.
Good point.
You can add polkit config file until I fix the issue.
https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/
The fix is quite easy.
Create a new file /etc/polkit-1/rules.d/03-polkit-pcscd.rules containing:
polkit.addRule(function(action, subject) {
if ((action.id == "org.debian.pcsc-lite.access_pcsc"
|| action.id == "org.debian.pcsc-lite.access_card")
&& subject.user == "Debian-gdm") {
return polkit.Result.YES;
}
});
What I don't know is if this new file should be provided by the pcscd package
or by the gdm3 package.
I would say gdm3 but I am not sure.
I started a discussion on the pcsclite-muscle list at
https://lists.infradead.org/pipermail/pcsclite-muscle/2024-January/001457.html
Bye
--
Dr. Ludovic Rousseau
Bug#1061444: pcscd: GDM user is NOT authorized for action: access_pcsc
Le 24/01/2024 à 18:09, Laurent Bigonville a écrit : Package: pcscd Version: 2.0.1-1 Severity: normal X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org Hello, When looking at the logs of pcscd, I see the following messages: jan 22 09:47:37 edoras pcscd[1663]: auth.c:125:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Process not found jan 22 09:47:37 edoras pcscd[1663]: 0031 auth.c:143:IsClientAuthorized() Process 1565 (user: 115) is NOT authorized for action: access_pcsc It seems that GDM is not allowed to talk to pcscd. GDM has the functionality to detect whether there is a smartcard in the reader and then use the gdm-smartcard PAM service instead of the gdm-password one to perform login. I guess that GDM should be whitelisted to allow it to use pcscd? Exact. Good point. You can add polkit config file until I fix the issue. https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/ Bye -- Dr. Ludovic Rousseau
Bug#1061444: pcscd: GDM user is NOT authorized for action: access_pcsc
Package: pcscd Version: 2.0.1-1 Severity: normal X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org Hello, When looking at the logs of pcscd, I see the following messages: jan 22 09:47:37 edoras pcscd[1663]: auth.c:125:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Process not found jan 22 09:47:37 edoras pcscd[1663]: 0031 auth.c:143:IsClientAuthorized() Process 1565 (user: 115) is NOT authorized for action: access_pcsc It seems that GDM is not allowed to talk to pcscd. GDM has the functionality to detect whether there is a smartcard in the reader and then use the gdm-smartcard PAM service instead of the gdm-password one to perform login. I guess that GDM should be whitelisted to allow it to use pcscd? Kind regards, Laurent Bigonville -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.6.11-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy Versions of packages pcscd depends on: ii init-system-helpers 1.66 ii libc6 2.37-13 ii libccid [pcsc-ifd-handler] 1.5.5-1 ii libglib2.0-02.78.3-1 ii libpcsclite12.0.1-1 ii libpolkit-gobject-1-0 124-1 ii libsystemd0 255.2-4 ii libudev1255.2-4 pcscd recommends no packages. Versions of packages pcscd suggests: ii systemd 255.2-4 -- no debconf information
