Bug#1061444: pcscd: GDM user is NOT authorized for action: access_pcsc
Hello, Le 24/01/2024 à 22:07, Ludovic Rousseau a écrit : Le 24/01/2024 à 19:43, Ludovic Rousseau a écrit : Le 24/01/2024 à 18:09, Laurent Bigonville a écrit : Package: pcscd Version: 2.0.1-1 Severity: normal X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org Hello, When looking at the logs of pcscd, I see the following messages: jan 22 09:47:37 edoras pcscd[1663]: auth.c:125:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Process not found jan 22 09:47:37 edoras pcscd[1663]: 0031 auth.c:143:IsClientAuthorized() Process 1565 (user: 115) is NOT authorized for action: access_pcsc It seems that GDM is not allowed to talk to pcscd. GDM has the functionality to detect whether there is a smartcard in the reader and then use the gdm-smartcard PAM service instead of the gdm-password one to perform login. I guess that GDM should be whitelisted to allow it to use pcscd? Exact. Good point. You can add polkit config file until I fix the issue. https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/ The fix is quite easy. Create a new file /etc/polkit-1/rules.d/03-polkit-pcscd.rules containing: polkit.addRule(function(action, subject) { if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") && subject.user == "Debian-gdm") { return polkit.Result.YES; } }); What I don't know is if this new file should be provided by the pcscd package or by the gdm3 package. I would say gdm3 but I am not sure. I started a discussion on the pcsclite-muscle list at https://lists.infradead.org/pipermail/pcsclite-muscle/2024-January/001457.html The problem is also present on Fedora 39. It is surprising because Fedora has enabled polkit in pcsc-lite since a long time (2014?) I opened a ticket at gdm upstream https://gitlab.gnome.org/GNOME/gdm/-/issues/904 I think the fix should be provided by gdm itself. So I reassign this ticket to the Debian gdm package. Bye -- Dr. Ludovic Rousseau
Bug#1061444: pcscd: GDM user is NOT authorized for action: access_pcsc
Le 24/01/2024 à 19:43, Ludovic Rousseau a écrit : Le 24/01/2024 à 18:09, Laurent Bigonville a écrit : Package: pcscd Version: 2.0.1-1 Severity: normal X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org Hello, When looking at the logs of pcscd, I see the following messages: jan 22 09:47:37 edoras pcscd[1663]: auth.c:125:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Process not found jan 22 09:47:37 edoras pcscd[1663]: 0031 auth.c:143:IsClientAuthorized() Process 1565 (user: 115) is NOT authorized for action: access_pcsc It seems that GDM is not allowed to talk to pcscd. GDM has the functionality to detect whether there is a smartcard in the reader and then use the gdm-smartcard PAM service instead of the gdm-password one to perform login. I guess that GDM should be whitelisted to allow it to use pcscd? Exact. Good point. You can add polkit config file until I fix the issue. https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/ The fix is quite easy. Create a new file /etc/polkit-1/rules.d/03-polkit-pcscd.rules containing: polkit.addRule(function(action, subject) { if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") && subject.user == "Debian-gdm") { return polkit.Result.YES; } }); What I don't know is if this new file should be provided by the pcscd package or by the gdm3 package. I would say gdm3 but I am not sure. I started a discussion on the pcsclite-muscle list at https://lists.infradead.org/pipermail/pcsclite-muscle/2024-January/001457.html Bye -- Dr. Ludovic Rousseau
Bug#1061444: pcscd: GDM user is NOT authorized for action: access_pcsc
Le 24/01/2024 à 18:09, Laurent Bigonville a écrit : Package: pcscd Version: 2.0.1-1 Severity: normal X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org Hello, When looking at the logs of pcscd, I see the following messages: jan 22 09:47:37 edoras pcscd[1663]: auth.c:125:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Process not found jan 22 09:47:37 edoras pcscd[1663]: 0031 auth.c:143:IsClientAuthorized() Process 1565 (user: 115) is NOT authorized for action: access_pcsc It seems that GDM is not allowed to talk to pcscd. GDM has the functionality to detect whether there is a smartcard in the reader and then use the gdm-smartcard PAM service instead of the gdm-password one to perform login. I guess that GDM should be whitelisted to allow it to use pcscd? Exact. Good point. You can add polkit config file until I fix the issue. https://blog.apdu.fr/posts/2023/11/pcsc-lite-and-polkit/ Bye -- Dr. Ludovic Rousseau
Bug#1061444: pcscd: GDM user is NOT authorized for action: access_pcsc
Package: pcscd Version: 2.0.1-1 Severity: normal X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org Hello, When looking at the logs of pcscd, I see the following messages: jan 22 09:47:37 edoras pcscd[1663]: auth.c:125:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Process not found jan 22 09:47:37 edoras pcscd[1663]: 0031 auth.c:143:IsClientAuthorized() Process 1565 (user: 115) is NOT authorized for action: access_pcsc It seems that GDM is not allowed to talk to pcscd. GDM has the functionality to detect whether there is a smartcard in the reader and then use the gdm-smartcard PAM service instead of the gdm-password one to perform login. I guess that GDM should be whitelisted to allow it to use pcscd? Kind regards, Laurent Bigonville -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.6.11-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy Versions of packages pcscd depends on: ii init-system-helpers 1.66 ii libc6 2.37-13 ii libccid [pcsc-ifd-handler] 1.5.5-1 ii libglib2.0-02.78.3-1 ii libpcsclite12.0.1-1 ii libpolkit-gobject-1-0 124-1 ii libsystemd0 255.2-4 ii libudev1255.2-4 pcscd recommends no packages. Versions of packages pcscd suggests: ii systemd 255.2-4 -- no debconf information