103483 – F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

Bug 103483 - F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

Summary: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

Status:	RESOLVED NOTOURBUG

Alias:	None

Product:	PolicyKit
Classification:	Unclassified
Component:	libpolkit (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	David Zeuthen (not reading bugmail)
QA Contact:	David Zeuthen (not reading bugmail)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-27 13:25 UTC by Ted Lyngmo
Modified:	2017-10-27 21:02 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Ted Lyngmo 2017-10-27 13:25:32 UTC

Whenever a user is using wget to fetch a webpage via https, we'll get messages like this in /var/log/messages:

2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 03445385 auth.c:137:IsClientAuthorized() Process 48952 (user: 48) is NOT authorized for action: access_pcsc
2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 00000279 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

This started after upgrading to F26 (or possibly F25 which was installed for a few days). I have no idea why wget (via one of the libraries involved) would try to access the smart card reader without the user telling it to. Even though it fails getting access to a reader (which I've currently got none), the https pages are received just fine.

curl works without triggering these kinds of messages.

I file this in polkit's bugzilla but really have no clue if it belongs somewhere else.

References
----------
Fedora forum:
https://forums.fedoraforum.org/showthread.php?t=315778

Discussion with pcsc's creator who helped me narrowing the problem down a bit:
https://github.com/LudovicRousseau/PCSC/issues/26

Comment 1 Ted Lyngmo 2017-10-27 13:28:25 UTC

Note: I added two polkit rules to grant everyone smart card access to stop the log messages, but can't keep it like that if I decide to connect a smart card reader.

Comment 2 Miloslav Trmac 2017-10-27 21:02:54 UTC

*shrug* polkit is responding to requests; it can’t make httpd ask for smart card access. polkit also definitely cannot stop pcscd from logging whatever it wants to log.

Something else is talking to pcscd to access the smart card, and then pcscd is asking polkit whether to allow that.

See https://fedoraproject.org/wiki/Changes/PcscAccessControl for a bit more context.

AFAICT either wget, or one of its TLS implementations, or the underlying crypto library, has been configured, or is configured by default, to use keys on smart cards.   Figure out what this configuration piece is, disable it if you want, and these entries will disappear.

Alternatively, it _might_ make sense to just silence the pcscd log messages by default, if it turns out that it is expected that many clients from many user accounts will try to use the smart card but the access will only be allowed to a much smaller subset of clients.

Either way, I can’t see how polkit can help here.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.