Shawn Willden wrote on 03/22/06 12:51 PM:
Hi,
While musing about some related issues today, a major possible problem with
pcsc-lite's security model cropped up. It doesn't appear that there is any
way to restrict smart card access by user. This means that any user on a
multi-user system can use any smart card in any reader attached to that
system. Now, access to security-critical features on smart cards is
generally controlled by a PIN/password, but nearly all cards remember their
authentication state. Indeed, they almost have to. This means that once I
present my PIN to the card to, say, sign an e-mail, any other user logged
onto my system can also use the credentials on my card.
Is it even possible for pcscd to enforce user-level access controls? Ideally,
the first process to access the card (well, *ideally* the process that
presents the PIN, but pcscd can't know that) should be able to tell pcscd to
reject connections to that card from processes owned by other users. The
only way for a different user account to obtain access to the card should be
to reset the card. Allowing any user process to reset the card in the reader
enables a DOS attack, but that's *much* less of a problem than the ability to
impersonate another by using his card credentials.
Is there some mechanism in pcsc-lite to prevent this sort of attack? If not,
is it even possible for pcscd to identify the owner of the processes that
connect to its socket?
What if pcscd was to run as the user instead of as root? If multiple
users on the same system need to use different readers, they'd each
have their own pcscd.
Of course that'd need changes to pcscd to not try to create a single
socket in /var/run, and to libpcsclite to find the path to the right
pcscd for the user.
This is probably a direction we're going to want to go in in the future
anyway, to support USB card readers connected to Sun Ray thin clients,
presented to the user session via libusb.
~Iain
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
