Re: [opensc-devel] HAL proposal for smart cards (clarification)

Fri, 30 Jan 2009 07:36:38 -0800 

Andreas Jellinghaus wrote:
> Am Mittwoch 28 Januar 2009 19:02:39 schrieb Stanislav Brabec:
> > In case of Smart Cards, it might be GID writability for "scard" group,
> > allowing to run smart card daemon without root privileges.
> 
> if pcscd or openct should run as non-root, then there should be:
> * one way how openct/pcscd can access the serial and usb devices
>    (please document what users with serial smart card readers need to do)

This might work:
<?xml version="1.0" encoding="ISO-8859-1"?>
<deviceinfo version="0.2">
  <device>
    <match key="linux.device_file" string="/dev/ttyS0">
      <merge key="info.category" type="string">smart_card_reader</merge>
    </match>
  </device>
</deviceinfo>
(Depending on system configuration, removing of "modem" capability would
be useful.)

* one way how users allowed to access the readers can connect to openct/pcscd
Socket GID writeable for scard. By default, no users are in scard group.
Then use e. g.:
polkit-auth --constraint local /var/run/openct
or something similar

> I think these two things should be kept seperated, and "scard" is already 
> used 
> for the later case.

"scard" UID may be used for daemon access, "scard" GID may be used as a
static alternative for these sysadmins, that don't want to use
PolicyKit.

Static style (rough draft):
chown -R scard:scard /var/run/openct
chmod -R 770 /var/run/openct
chmod -R 770 /dev/path_to_the_reader
Run daemon as scard user.
Add selected users to groups scard.
=> Only users in group scard can access the reader.

Dynamic way with HAL+PolicyKit (rough draft):
- set PolicyKit according to http://bugs.freedesktop.org/show_bug.cgi?id=19663
chown -R scard:scard /var/run/openct
chmod -R 770 /var/run/openct
polkit-auth --constraint local /var/run/openct
(/dev/path_to_the_reader is handled by PolicyKit automatically)
Run daemon as scard user.
Don't add anybody to groups scard.
=> Only users logged localy can access the reader (it can be changed in
   PolicyKit settings).

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o.                          e-mail: sbra...@suse.cz
Lihovarská 1060/12           tel: +420 284 028 966, +49 911 740538747
190 00 Praha 9                                  fax: +420 284 028 951
Czech Republic                                    http://www.suse.cz/

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to