https://bugzilla.novell.com/show_bug.cgi?id=304149
Summary: openct package broken in suse 10.1 Product: SUSE Linux 10.1 Version: Final Platform: 32bit OS/Version: SuSE Linux 10.1 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: aj@dungeon.inka.de QAContact: qa@suse.de Found By: Community of Practice
Hi, I'm the upstream maintainer of openct. I had a look at recent openct packages from suse and I'm pretty sure they are not working correctly. the hald addon uses /proc/bus/usb which does not exist in suse I'm told, it should instead use /dev/bus/usb. also the fdi map does not match smart card readers via usb interface class 0b. please use both the fdi map and hald-addon script from new openct 0.6.13 and update to 0.6.13 and you should be fine. also at least on ubuntu I had to install the hald-addon in /usr/bin, not /usr/sbin. please check the right location will be used for opensuse.
thanks, Andreas
https://bugzilla.novell.com/show_bug.cgi?id=304149#c1
Ludwig Nussel lnussel@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |sbrabec@novell.com
--- Comment #1 from Ludwig Nussel lnussel@novell.com 2007-08-24 00:57:20 MST --- reassign to maintainer
https://bugzilla.novell.com/show_bug.cgi?id=304149#c2
--- Comment #2 from Ludwig Nussel lnussel@novell.com 2007-08-24 00:57:31 MST --- *** Bug 304148 has been marked as a duplicate of this bug. ***
https://bugzilla.novell.com/show_bug.cgi?id=304148
https://bugzilla.novell.com/show_bug.cgi?id=304149#c3
--- Comment #3 from Ludwig Nussel lnussel@novell.com 2007-08-24 00:57:38 MST --- *** Bug 304147 has been marked as a duplicate of this bug. ***
https://bugzilla.novell.com/show_bug.cgi?id=304147
https://bugzilla.novell.com/show_bug.cgi?id=304149#c4
Stanislav Brabec sbrabec@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
--- Comment #4 from Stanislav Brabec sbrabec@novell.com 2007-08-24 08:29:57 MST --- Updated for OpenSUSE 10.3 (partially related: bug 304316).
WONTFIX for 10.1, but might be good to fix for SLES10.
https://bugzilla.novell.com/show_bug.cgi?id=304149#c7
Stanislav Brabec sbrabec@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |silviu_marin-caea@otpbank.ro
--- Comment #7 from Stanislav Brabec sbrabec@novell.com 2007-09-11 10:25:35 MST --- *** Bug 284583 has been marked as a duplicate of this bug. ***
https://bugzilla.novell.com/show_bug.cgi?id=284583
https://bugzilla.novell.com/show_bug.cgi?id=304149#c8
--- Comment #8 from Stanislav Brabec sbrabec@novell.com 2007-09-11 10:26:19 MST --- Even after update is does not work in openct-0.6.13, as reported in bug 284583.
https://bugzilla.novell.com/show_bug.cgi?id=304149#c9
Stanislav Brabec sbrabec@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |silviu_marin-caea@otpbank.ro
--- Comment #9 from Stanislav Brabec sbrabec@novell.com 2007-09-11 10:58:54 MST --- Could you try to edit /usr/lib/hal/hald-addon-openct and add some debugging output there:
#!/bin/bash
exec >/tmp/hald-addon-openct.log exec 2>&1 echo "$*" set +x
.. the rest of the sript
(You can also verify atime to check, whether this script was even called.)
https://bugzilla.novell.com/show_bug.cgi?id=304149#c10
--- Comment #10 from Silviu Marin-Caea silviu_marin-caea@otpbank.ro 2007-09-12 04:37:03 MST --- It doesn't appear to have been called. I have a nice system prompt with the time in it, to help see things clearly.
08:45:11 root@silviu:~# opensc-tool --list-readers winscard_clnt.c:3420:SCardCheckDaemonAvailability() PCSC Not Running Readers known about: Nr. Driver Name 0 openct Aladdin eToken PRO 1 openct OpenCT reader (detached) 2 openct OpenCT reader (detached) 3 openct OpenCT reader (detached) 4 openct OpenCT reader (detached)
# reinsert token
08:46:03 root@silviu:~# opensc-tool --list-readers winscard_clnt.c:3420:SCardCheckDaemonAvailability() PCSC Not Running Readers known about: Nr. Driver Name 0 openct OpenCT reader (detached) 1 openct OpenCT reader (detached) 2 openct OpenCT reader (detached) 3 openct OpenCT reader (detached) 4 openct OpenCT reader (detached) 08:46:11 root@silviu:~# cat /tmp/hald-addon-openct.log cat: /tmp/hald-addon-openct.log: No such file or directory 08:46:26 root@silviu:~# rcopenct restart Stopping smart card terminals0 processes killed. done Starting smart card terminals done 08:46:38 roopensc-tool --list-readers winscard_clnt.c:3420:SCardCheckDaemonAvailability() PCSC Not Running Readers known about: Nr. Driver Name 0 openct Aladdin eToken PRO 1 openct OpenCT reader (detached) 2 openct OpenCT reader (detached) 3 openct OpenCT reader (detached) 4 openct OpenCT reader (detached) 08:46:41 rocat /tmp/hald-addon-openct.log cat: /tmp/hald-addon-openct.log: No such file or directory 08:46:44 root@silviu:~# stat /usr/lib64/hal/hald-addon-openct File: `/usr/lib64/hal/hald-addon-openct' Size: 550 Blocks: 8 IO Block: 4096 regular file Device: 804h/2052d Inode: 2251972 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2007-09-12 08:44:39.000000000 +0300 Modify: 2007-09-12 08:44:39.000000000 +0300 Change: 2007-09-12 08:44:39.000000000 +0300
https://bugzilla.novell.com/show_bug.cgi?id=304149#c11
--- Comment #11 from Silviu Marin-Caea silviu_marin-caea@otpbank.ro 2007-09-12 04:46:11 MST --- Wait a minute!
/usr/lib64/hal/hald-addon-openct was not executable! This is the problem.
I have reinstalled openct-0.6.13-4.x86_64.rpm from Factory, and this file does not have the execute bit.
chmod a+x solves the problem with the token not being seen after reinsert.
https://bugzilla.novell.com/show_bug.cgi?id=304149#c12
Silviu Marin-Caea silviu_marin-caea@otpbank.ro changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|silviu_marin-caea@otpbank.ro |
--- Comment #12 from Silviu Marin-Caea silviu_marin-caea@otpbank.ro 2007-09-12 07:23:59 MST --- Since this bug appears for version 10.1 final, I think something should be done so it gets fixed in time for 10.3. Change the version here or reopen https://bugzilla.novell.com/show_bug.cgi?id=284583 ?
https://bugzilla.novell.com/show_bug.cgi?id=304149#c13
--- Comment #13 from Stanislav Brabec sbrabec@novell.com 2007-09-12 07:53:01 MST --- Submitted for Factory. Keeping this bug opened for SLE10.
https://bugzilla.novell.com/show_bug.cgi?id=304149#c14
--- Comment #14 from Silviu Marin-Caea silviu_marin-caea@otpbank.ro 2007-09-24 05:25:47 MST --- In RC1 the bug appears to be fixed (the script is executable now). The token is detected properly, each time. I would close the bug for Factory, but I don't know the bug #
There is just one more cosmetic thing: the "status" of the /etc/init.d/openct script is not working properly. It displays "running" even if the service is stopped. I guess I should open another bug for that, with the lowest severity.
https://bugzilla.novell.com/show_bug.cgi?id=304149#c15
Carl Linden clinden@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |clinden@novell.com
--- Comment #15 from Carl Linden clinden@novell.com 2007-10-25 03:32:40 MST --- Will this defect be looked at for SLED10 aswell, I currently have seen this at customer when I been testing openct.
//Carl
https://bugzilla.novell.com/show_bug.cgi?id=304149#c17
Stanislav Brabec sbrabec@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |dkukawka@novell.com
--- Comment #17 from Stanislav Brabec sbrabec@novell.com 2007-12-03 09:00:11 MST --- SLES10 uses custom openct fdi files, but it seems, that hal addon location is incorrect.
openct uses: /usr/sbin correct seems to be: %{_libdir}/hal
Danny, what is the correct match for a generic USB device for SLES10?
<match key="info.bus" string="usb_device"> (as used by 10-wireless-mice.fdi and 10-usb-openct.fdi)
or
<match key="info.bus" string="usb"> (as used by 10-usb-music-players.fdi and 10-camera-ptp.fdi)
https://bugzilla.novell.com/show_bug.cgi?id=304149
User dkukawka@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=304149#c18
Danny Kukawka dkukawka@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dkukawka@novell.com Status|NEEDINFO |ASSIGNED Info Provider|dkukawka@novell.com |
--- Comment #18 from Danny Kukawka dkukawka@novell.com 2007-12-07 07:44:08 MST --- The correct path for addons would be /usr/lib/hal/ or /usr/lib64/hal/ on 64bit, but not /usr/sbin.
The spec says about 'usb_device': "For device objects representing USB devices the property info.subsystem will be usb_device, and the following properties will be available. Note that the corresponding USB interfaces are represented by separate device objects as children." This are all devices which have a ':' in the last part of the sysfs path (the part behind the last '/').
And about 'usb': "Device objects that represent USB interfaces, ie. when info.subsystem assumes usb, are represented by the properties below. In addition all the usb_device.* properties from the parent USB device is available in this namespace but only with the usb prefix instead of usb_device."
You have to check lshal to find out, what you need.
https://bugzilla.novell.com/show_bug.cgi?id=304149
User sbrabec@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=304149#c19
--- Comment #19 from Stanislav Brabec sbrabec@novell.com 2008-10-31 08:54:53 MDT --- I just fixed more opect packaging issues for openSUSE 11.1 and it seems to work both with hotplug and coldplug.
https://bugzilla.novell.com/show_bug.cgi?id=304149
User sbrabec@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=304149#c20
Stanislav Brabec sbrabec@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |ptesarik@novell.com
--- Comment #20 from Stanislav Brabec sbrabec@novell.com 2009-03-23 11:23:49 MST --- SLES11 is out and mentioned issues should be fixed there.
Should I backport these fixes for the next SP of SLES10?
Note: Smart Cards probably never worked correctly in SLES10 and this fix is probably only one part to make them working there.
https://bugzilla.novell.com/show_bug.cgi?id=304149
User silviu_marin-caea@otpbank.ro added comment https://bugzilla.novell.com/show_bug.cgi?id=304149#c21
--- Comment #21 from Silviu Marin-Caea silviu_marin-caea@otpbank.ro 2009-03-24 00:58:04 MST --- I'm using openSUSE Factory right now and I still see one annoying bug. After booting the computer it's necessary to restart the openct service to get it to work.
I don't remember any version of openSUSE that openct worked flawlessly since I've started using a token of my computer. :-(
I'll try to provide some details, so it's not just useless whining.
https://bugzilla.novell.com/show_bug.cgi?id=304149
User silviu_marin-caea@otpbank.ro added comment https://bugzilla.novell.com/show_bug.cgi?id=304149#c22
--- Comment #22 from Silviu Marin-Caea silviu_marin-caea@otpbank.ro 2009-03-24 09:25:16 MST --- Ok, this is embarrassing. The openct service is not enabled by default, that's why it "needed restart". Sorry.
However, a mechanism that would enable the service the first time the user inserts a token would be a nice usability feature.
Isn't that possible with hal scripts?
https://bugzilla.novell.com/show_bug.cgi?id=304149
User sbrabec@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=304149#c23
--- Comment #23 from Stanislav Brabec sbrabec@novell.com 2009-03-24 09:54:15 MST --- Yes, comment 21 is a known issue. The whole smart cart infrastructure was installed by default in past, as it was introduced by dependencies of ssh and other packages. It was not a good idea to start all these daemons for all users, especially if 99.9% of them has no smart card reader.
To fix this issue completely (see also bug 466430), we need:
- Split smart card packages according to shared library policy (not applicable for openct).
- Remove smart card infrastructure from the default installation.
- Provide auto-installation support when smart card readed is available (hardware supplements for ZYPP; not possible for serial readers).
- Then we can start daemon by default or ensure that HAL addon does it automatically.