You are not logged in.

#1 2023-04-03 13:51:36

nomeed
Member
Registered: 2015-05-08
Posts: 13

After pcscd upgrade sssd user no longer authorized to access

Setup of GnuPG with pcscd no longer works on a sssd user

https://wiki.archlinux.org/title/GnuPG#Always_use_pcscd

[2023-04-02T19:52:51+0200] [ALPM] upgraded pcsclite (1.9.9-2 -> 1.9.9-3)
[2023-04-02T19:53:45+0200] [ALPM] upgraded pcsc-tools (1.6.0-1 -> 1.6.2-1)

Getting this error

Apr 03 15:23:38 <host> systemd[1]: Started PC/SC Smart Card Daemon.
Apr 03 15:23:38 <host> pcscd[18957]: 00000000 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to
 open file “/proc/6196/status”: No such file or directory
Apr 03 15:23:38 <host> pcscd[18957]: 00000020 auth.c:137:IsClientAuthorized() Process 6196 (user: 30000) is NOT authorized for action: access_pcsc
Apr 03 15:23:39 <host> pcscd[18957]: 00000081 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Apr 03 15:23:39 <host> gpg-agent[6196]: scdaemon[6196]: pcsc_establish_context failed: inserted card (0x8010006a)
Apr 03 15:23:39 <host> gpg-agent[1624]: no device present
Apr 03 15:23:39 <host> gpg-agent[1624]: smartcard decryption failed: Operation cancelled
Apr 03 15:23:39 <host> gpg-agent[1624]: command 'PKDECRYPT' failed: Operation cancelled <Pinentry>

The process(6196) not authorized is the scdaemon run by the sssd user with the id 30000


Tried adding polkit rules as mentioned in https://github.com/SSSD/sssd/issues/5087 since it has the same error message but it does not help.

Anyone has a clue?

Offline

#2 2023-06-14 19:36:12

acegallagher
Member
Registered: 2016-07-29
Posts: 14

Re: After pcscd upgrade sssd user no longer authorized to access

Hey there. I think I figured it out. This seems to be because the arch packagess enabled the polkit support flag in the latest build which enables certain policies/rules. However, the pcsc package seems to be using GDBus to check for authority explicitly and since on my system I'm using kde polkit the authorization fails. This happens whether or not a correctly permissive rules for access is created. There are two solutions. To downgrade pcsclite to .9-2 or to compile the most recent one yourself without the --enable-polkit flag. I'm not an expert in how the auth check is made so I have no idea what bug report to file or where.

Offline

#3 2023-06-18 20:42:31

kmille
Member
Registered: 2020-10-26
Posts: 5

Re: After pcscd upgrade sssd user no longer authorized to access

Offline

Board footer

Powered by FluxBB