Am Mittwoch 28 Januar 2009 18:06:33 schrieb Alon Bar-Lev: > On 1/28/09, Andreas Jellinghaus <a...@dungeon.inka.de> wrote: > > > - Define policy for ACL (see freedesktop Bugzilla) > > > > root,root 0600 is fine with me. distributions could create some system > > account, and use that system account for such usb devices and run pcscd > > and openct under these accounts (if that works, not 100% sure here - > > never tried). > > No. > Should allow a group to access, such as root:usb 0660. > This way you can add the openctd user (the user under which ifdhandler > runs) to this group.
someone has a group "usb"? ouch. I don't like this proposal. people might think "lets add a user to that group, like we do with audio and video, so people can use usb devices". if then this would be implemented like alon suggested, a user can access a device, that is required for login authentication (if you configured smart card authentication). bad idea, at minimum this could be a denial of service attack. not sure if claiming an interface via usb control prevents every other process to see what you send to and receive from that device, but I hope it does. My recommendation stands: either run that software as root, or use a special user for these access rights. (is there a special reason not to have some user as the owner of the dynamically created device nodes? if so, a special group with one user only could help, but it should not have a generic name. and I don't know of any such reason) btw: many distributions have a group "scard" that regulates access to smart card reader middleware (pcscd and openct). (well, ok, debian and ubuntu have that group, not 100% sure about other distributions). Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
