[Pcsclite-muscle] [PATCH] pcsc-lite & polkit: allow auth_admin

Stanislav Brabec sbrabec at suse.cz
Thu Dec 4 20:07:58 UTC 2014 

On Dec 4, 2014 at 16:07 Ludovic Rousseau wrote:

> IsClientAuthorized() is called only from ContextThread(). This code is
> running in a thread dedicated to the PC/SC client (in fact dedicated
> to a SCardEstablishContext context). So blocking this thread should
> not affect the other pcscd tasks.
> 
> Do you think the change proposed by Stanislav is still a problem?
> 
Well, We can keep the patch and change defaults. Then the default
configuration can never cause delays, but users of ssh remote sessions
and so will still be able to authorize after admin's conscious changes
of configuration.

This configuration will behave exactly equally as the previous one
without previous patch.

Index: pcsc-lite-1.8.13/doc/org.debian.pcsc-lite.policy
===================================================================
--- pcsc-lite-1.8.13.orig/doc/org.debian.pcsc-lite.policy
+++ pcsc-lite-1.8.13/doc/org.debian.pcsc-lite.policy
@@ -9,20 +9,20 @@
 
   <action id="org.debian.pcsc-lite.access_pcsc">
     <description>Access to the PC/SC daemon</description>
-    <message>Authentication is required to access the PC/SC daemon</message>
+    <message>Authentication is required to access the PC/SC daemon. Warning: Use of "auth_admin" can cause processing delays!</message>
     <defaults>
-      <allow_any>auth_admin</allow_any>
-      <allow_inactive>auth_admin</allow_inactive>
+      <allow_any>no</allow_any>
+      <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
   </action>
 
   <action id="org.debian.pcsc-lite.access_card">
     <description>Access to the smart card</description>
-    <message>Authentication is required to access the smart card</message>
+    <message>Authentication is required to access the PC/SC daemon. Warning: Use of "auth_admin" can cause processing delays!</message>
     <defaults>
-      <allow_any>auth_admin</allow_any>
-      <allow_inactive>auth_admin</allow_inactive>
+      <allow_any>no</allow_any>
+      <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
   </action>

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
Lihovarská 1060/12                            tel: +49 911 7405384547
190 00 Praha 9                                 fax:  +420 284 084 001
Czech Republic                                    http://www.suse.cz/
PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76

More information about the Pcsclite-muscle mailing list