Ludovic Rousseau wrote:
On 19/10/06, Andreas Jellinghaus <[EMAIL PROTECTED]> wrote:
Douglas E. Engert wrote:
> Is there any way to have OpenCT limit access to reader devices to
> the user logged in at the console?
sure.
chgrp scard /var/run/openct
and configure some pam module for login only,
so it adds the user to group scard.
that way only those who used login have group scard and can
use openct, while those using ssh, kdm, whatever can not.
> I sent a similiar note to the muscle list asking about PCSC.
sorry, I have little clue about pcsc. maybe ludovic knows?
I guess you can set permissions on the pcsc sockets too.
I also proposed to change the permissions on the /var/run/pcscd.*
files. Your idea of dynamically add a user in a particular group is
very good.
I think that this idea was droped in 2000 or so because of the ability
of a user once in a group creating a program or script with the
set group bit and then using this program at a later time to
access the device when they should not.
I believe hal was trying to address that problem.
I would prefer "smartcard" as the group name to be more
explicit.
Ubuntu is using scard as a group with OpenCT.
Do you know a PAM module that does that?
pam_console was to change permisions on files, don't know
of the one to add groups to a session.
Bye,
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
