[Bug 438131] New: ctapi-cyberjack uses resmgr for device access
https://bugzilla.novell.com/show_bug.cgi?id=438131 Summary: ctapi-cyberjack uses resmgr for device access Product: openSUSE 11.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: sbrabec@novell.com ReportedBy: lnussel@novell.com QAContact: qa@suse.de CC: dkukawka@novell.com Found By: Development /etc/hal/fdi/policy/10osvendor/80-cyberjack.fdi refers to resmgr for device access which is gone. Instead of <merge key="resmgr.class" type="string">usb</merge> use something like <append key="info.capabilities" type="strlist">cardreader</append> hal needs to be taught about the cardreader privilege then as well -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c1
Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c2
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=438131
User kwbolte@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c3
Kai-Wilhelm Bolte
https://bugzilla.novell.com/show_bug.cgi?id=438131
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c4
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=438131
User wolfgang@rosenauer.org added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c5
--- Comment #5 from Wolfgang Rosenauer
https://bugzilla.novell.com/show_bug.cgi?id=438131
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c6
--- Comment #6 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=438131
User wolfgang@rosenauer.org added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c7
--- Comment #7 from Wolfgang Rosenauer
https://bugzilla.novell.com/show_bug.cgi?id=438131
Wolfgang Rosenauer
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c8
Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c9
Ludwig Nussel
What I need to change in ctapi-cyberjack (and other smart card packages) to make it working again? How should I define policy for smart cards: Only user logged physically at the desk can use it.
Have a look at /etc/hal/fdi/policy/10osvendor/70-scanner.fdi, ie merge some keyword into info.category according to vendor and product id. You need to merge that property into the proper object. Use e.g. gnome-device-manager to visualize the objects hal knows about. Your property needs to end up in the object that has /dev/bus/usb/*/* as linux.device_file. The hal package will handle the rest, ie Danny has to modify /usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi and /usr/share/PolicyKit/policy/org.freedesktop.hal.device-access.policy For testing you could try merging 'scanner' into info.category.
This is what I did in openct. It seems to work. Is it correct?
/usr/share/hal/fdi/information/10freedesktop/10-usb-openct.fdi:
<append key="info.addons" type="strlist">hald-addon-openct</append>
where hald-addon-openct starts with:
chown daemon:daemon $HAL_PROP_LINUX_DEVICE_FILE
No. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c10
Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c11
--- Comment #11 from Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c12
--- Comment #12 from Stanislav Brabec
/dev/bus/usb/003/002' with local user privileges?
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=438131
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c13
Ludwig Nussel
Attaching my best attempt (live system patch), but still not working.
Please help me with following files (packages pcsc-lite, opensc, pcsc-cyberjack): /usr/share/hal/fdi/information/10freedesktop/10-usb-openct.fdi /etc/hal/fdi/policy/10osvendor/80-cyberjack.fdi
Should be moved to /usr/share/hal/fdi/information/20thirdparty
/etc/udev/rules.d/pcscd_ccid.rules /etc/udev/rules.d/99-pcsc_lite.rules
And the same for UPS devices: /etc/udev/rules.d/52_nut-usbups.rules ... and the whole nut-hal package. I was not able to make it working, so I disabled it completely.
Those change ownerships are wrong, see below.
What is the correct value for match key="info.subsystem" string="usb..."
"usb" or "usb_device"? Half of files use "usb_device", another half "usb".
Depends on what you want to match. An usb device ("usb_device") device may have multiple interfaces ("usb"). Only the usb device actually has a device node in /dev/bus/usb. If you are only going to match for vendor/product place you match at "usb_device". If you need to look at interface properties a little more magic is required to get the correct values into the parent.
And what is correct here: <append key="info.capabilities" type="strlist">smart-card-reader</append> ^ append or merge?
append is used to append a value to a lists, merge will overwrite
^ capabilities or category?
http://people.freedesktop.org/~david/hal-spec/hal-spec.html "...two textual properties, info.category and info.capabilities. The former describes what the device is (as a single alphanumeric keyword) and the latter describes what the device does (as a number of alphanumeric keywords separated by whitespace)". So if the only function of the device a card reader using 'category' would be correct.
^ smart-card-reader or smart_card_reader
I don't know what the naming guidelines on hal are. That's a question Danny can probably give some advice on.
For use of pcsc-lite and openct, "daemon" UID must be also allowed to use the card. How should I do it? udev? hald-addon? anything else?
Not at all. Use of the daemon group is rather unspecified so don't use it to assign privileges. Your daemon uses a dedicated user for it's opereration, does it? So you could grant privileges explicitly to that user. Unfortunately there is no framework to do that in a clean way yet so you have to call polkit-auth manually in %pre or %post. See for example hal.
How can I test, that capabilities were properly set? getfactl? Or 'echo ""
/dev/bus/usb/003/002' with local user privileges?
getfacl. $ polkit-auth |grep sound org.freedesktop.hal.device-access.sound $ getfacl /dev/dsp getfacl: Removing leading '/' from absolute path names # file: dev/dsp # owner: root # group: audio user::rw- user:lnussel:rw- <- here I have access group::rw- mask::rw- other::--- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=438131
User wolfgang@rosenauer.org added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c14
Wolfgang Rosenauer
https://bugzilla.novell.com/show_bug.cgi?id=438131
User wolfgang@rosenauer.org added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c15
--- Comment #15 from Wolfgang Rosenauer
https://bugzilla.novell.com/show_bug.cgi?id=438131
Wolfgang Rosenauer
https://bugzilla.novell.com/show_bug.cgi?id=438131
User wolfgang@rosenauer.org added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c16
--- Comment #16 from Wolfgang Rosenauer
--- org.freedesktop.hal.device-access.policy.old 2009-01-13 17:02:06.000000000 +0100 +++ org.freedesktop.hal.device-access.policy 2009-01-13 17:02:32.000000000 +0100 @@ -28,6 +28,15 @@ </defaults> </action>
+ <action id="org.freedesktop.hal.device-access.smartcard-ctapi"> + <description>Directly access to smartcard readers</description>
And now some nits: "Directly access smartcard readers" without "to"
+ <match key="info.capabilities" contains="ctapi">
<match key="info.capabilities" contains="smartcard-ctapi"> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c17
--- Comment #17 from Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c19
Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c20
Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c21
--- Comment #21 from Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User sbrabec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c22
--- Comment #22 from Stanislav Brabec
https://bugzilla.novell.com/show_bug.cgi?id=438131
User dkukawka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c23
Danny Kukawka
https://bugzilla.novell.com/show_bug.cgi?id=438131
User wolfgang@rosenauer.org added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c24
--- Comment #24 from Wolfgang Rosenauer
I have submitted new aatempt to fix to security:chipcard.
Please update hal and ctapi-cyberjack from this repository and let me know.
It uses category: smart_card_reader and keyword smart_card_reader in capabilities.
Hmm, I have the hal changes done locally but isn't the PolicyKit change not needed in addition? At least I have them to be able to access the reader finally. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=438131
User kwbolte@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=438131#c25
--- Comment #25 from Kai-Wilhelm Bolte
participants (1)
-
bugzilla_noreply@novell.com