652884 – sys-apps/pcsc-lite: add pcsc user into plugdev group

Bug 652884 - sys-apps/pcsc-lite: add pcsc user into plugdev group

Summary: sys-apps/pcsc-lite: add pcsc user into plugdev group

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement (vote)
Assignee:	Crypto team [DISABLED]

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-09 23:38 UTC by Anton Bolshakov
Modified:	2018-04-11 04:45 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anton Bolshakov 2018-04-09 23:38:50 UTC

I plugged a new USB smartcard reader recently and hit the following problem:

Apr 10 00:08:24 [pcscd] /var/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/debuglog.c:289:DebugLogSetLevel()
 debug level=debug
Apr 10 00:08:24 [pcscd] /var/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/debuglog.c:310:DebugLogSetCategor
y() Debug options: APDU
Apr 10 00:09:41 [start-stop-daemon] pam_unix(start-stop-daemon:session): session opened for user pcscd by root(uid=0)
Apr 10 00:09:41 [pcscd] ccid_usb.c:525:OpenUSBByName() Can't libusb_open(1/23): LIBUSB_ERROR_ACCESS
Apr 10 00:09:41 [pcscd] ifdhandler.c:151:CreateChannelByNameOrChannel() failed
Apr 10 00:09:41 [pcscd] /var/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/readerfactory.c:1105:RFInitialize
Reader() Open Port 0x200000 Failed (usb:08e6/3437:libudev:0:/dev/bus/usb/001/023)
Apr 10 00:09:41 [pcscd] /var/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/readerfactory.c:376:RFAddReader()
 Gemalto PC Twin Reader (EF2420E4) init failed.
Apr 10 00:11:08 [start-stop-daemon] pam_unix(start-stop-daemon:session): session opened for user pcscd by root(uid=0)
Apr 10 00:11:08 [pcscd] ccid_usb.c:525:OpenUSBByName() Can't libusb_open(1/23): LIBUSB_ERROR_ACCESS
Apr 10 00:11:08 [pcscd] ifdhandler.c:151:CreateChannelByNameOrChannel() failed
Apr 10 00:11:08 [pcscd] /var/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/readerfactory.c:1105:RFInitialize
Reader() Open Port 0x200000 Failed (usb:08e6/3437:libudev:0:/dev/bus/usb/001/023)
Apr 10 00:11:08 [pcscd] /var/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/readerfactory.c:376:RFAddReader()
 Gemalto PC Twin Reader (EF2420E4) init failed.




First of all, the description in the pkg_postinstall is not accurate:
pkg_postinst() {
        elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in"
        elog "the pcscd group, to avoid running as root."

it must be "will start as user pcscd"


Secondly, the same user must be in the "plugdev" group in order to fix the problem above.


----------
sys-apps/pcsc-tools-1.4.27

emerge --info
Portage 2.3.24 (python 3.5.5-final-0, default/linux/amd64/17.0/hardened, gcc-6.4.0, glibc-2.25-r11, 4.14.15-pentoo x86_64)
=================================================================
System uname: Linux-4.14.15-pentoo-x86_64-Intel-R-_Core-TM-_i5-3320M_CPU_@_2.60GHz-with-gentoo-2.4.1
KiB Mem:     7973344 total,   1757348 free
KiB Swap:    4194300 total,   4194228 free
Timestamp of repository gentoo: Mon, 09 Apr 2018 08:15:01 +0000
Head commit of repository gentoo: c7684eaa754323674d11a2a6e6e46e5d1e079a45
Head commit of repository pentoo: 482980a3552117f1d7399ad85ca2e4e5325290b8

sh bash 4.4_p12
ld GNU ld (Gentoo 2.29.1 p3) 2.29.1
app-shells/bash:          4.4_p12::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.24.3-r1::gentoo
dev-lang/python:          2.7.14-r1::gentoo, 3.5.5::gentoo
dev-util/cmake:           3.9.6::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.4.1-r2::gentoo
sys-apps/openrc:          0.34.11::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r4::gentoo
sys-devel/automake:       1.15.1-r2::gentoo
sys-devel/binutils:       2.29.1-r1::gentoo
sys-devel/gcc:            6.4.0-r1::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r5::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers)
sys-libs/glibc:           2.25-r11::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.asia.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-metamanifest: no
    sync-rsync-extra-opts: 

local-overlay
    location: /usr/local/portage
    masters: gentoo
    priority: 0

pentoo
    location: /data/pentoo/pentoo
    sync-type: git
    sync-uri: https://github.com/pentoo/pentoo-overlay
    masters: gentoo

steam-overlay
    location: /var/lib/layman/steam-overlay
    masters: gentoo
    priority: 50

ABI="amd64"
ABI_X86="64"
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA OPERA-12 NVIDIA-CUDA PUEL AdobeFlash-11.x Google-TOS dlj-1.1 google-chrome Oracle-BCLA-JavaSE Intel-SDP skype-4.0.0.7-copyright baudline"
ACCEPT_PROPERTIES="*"
ACCEPT_RESTRICT="*"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ANDROID_HOME="/opt/android-sdk-update-manager"
ANDROID_SWT="/usr/share/swt-3.7/lib"
ANT_HOME="/usr/share/ant"
APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ARCH="amd64"
AUTOCLEAN="yes"
BOOTSTRAP_USE="cxx unicode internal-glib python_targets_python3_5 python_targets_python2_7 multilib hardened pic xtpax -jit -orc"
CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CFLAGS_amd64="-m64"
CFLAGS_x32="-mx32"
CFLAGS_x86="-m32"
CHOST="x86_64-pc-linux-gnu"
CHOST_amd64="x86_64-pc-linux-gnu"
CHOST_x32="x86_64-pc-linux-gnux32"
CHOST_x86="i686-pc-linux-gnu"
CLEAN_DELAY="5"
COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog"
COLLISION_IGNORE="/lib/modules/* *.py[co] *$py.class */dropin.cache"
COLORTERM="truecolor"
CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3"
CXXFLAGS="-march=native -O2 -pipe"
DEFAULT_ABI="amd64"
DISPLAY=":0"
DISTDIR="/usr/portage/distfiles"
EDITOR="/usr/bin/mcedit"
ELIBC="glibc"

Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev

2018-04-10 09:35:29 UTC

The mechanism is different... the reader driver should mark with udev that pcsc should have access, we do not want pcscd to have access to all devices.

See example in ccid[1], then the pcsc rules sets the group, see [2]

[1] https://github.com/gentoo/gentoo/blob/master/app-crypt/ccid/files/92_pcscd_ccid-2.rules
[2] https://github.com/gentoo/gentoo/blob/master/sys-apps/pcsc-lite/files/99-pcscd-hotplug.rules

Comment 2 Anton Bolshakov 2018-04-10 12:37:04 UTC

ok, thanks, I didn't know it.

I can see that my smartcard reader (08e6:3437) is not in that list.

Can you help to include it?

Comment 3 Anton Bolshakov 2018-04-10 12:42:56 UTC

bash$ lsusb -d 08e6:3437 -v

Bus 001 Device 026: ID 08e6:3437 Gemalto (was Gemplus) GemPC Twin SmartCard Reader
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0         8
  idVendor           0x08e6 Gemalto (was Gemplus)
  idProduct          0x3437 GemPC Twin SmartCard Reader
  bcdDevice            2.00
  iManufacturer           1 Gemalto
  iProduct                2 USB SmartCard Reader
  iSerial                 3 EF2420E4
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           93
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower               50mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass        11 Chip/SmartCard
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
      ChipCard Interface Descriptor:
        bLength                54
        bDescriptorType        33
        bcdCCID              1.01  (Warning: Only accurate for version 1.0)
        nMaxSlotIndex           0
        bVoltageSupport         7  5.0V 3.0V 1.8V 
        dwProtocols             3  T=0 T=1
        dwDefaultClock       4800
        dwMaxiumumClock      4800
        bNumClockSupported      0
        dwDataRate          12903 bps
        dwMaxDataRate      825806 bps
        bNumDataRatesSupp.     53
        dwMaxIFSD             254
        dwSyncProtocols  00000000 
        dwMechanical     00000000 
        dwFeatures       00010230
          Auto clock change
          Auto baud rate change
          NAD value other than 0x00 accepted
          TPDU level exchange
        dwMaxCCIDMsgLen       271
        bClassGetResponse      00
        bClassEnvelope         00
        wlcdLayout           none
        bPINSupport             0 
        bMaxCCIDBusySlots       1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval              16
can't get device qualifier: Resource temporarily unavailable
can't get debug descriptor: Resource temporarily unavailable
Device Status:     0x0000
  (Bus Powered)

Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev

2018-04-10 19:11:36 UTC

Normally, there is no need to add specific usb device.

Your bInterfaceClass is 0x0b, which is generic, the following rule should apply, please try to find out what went wrong:

---
# generic CCID device (bInterfaceClass = 0x0b)
# change group from default "root" to "pcscd"
ENV{ID_USB_INTERFACES}=="*:0b0000:*", ENV{PCSCD}="1"
---

Comment 5 Anton Bolshakov 2018-04-11 02:03:59 UTC

ok, I found the problem. The package app-crypt/ccid wasn't installed when I hit this problem.

Shouldn't it be a dependency of pcsc-lite (or sys-apps/pcsc-tools)?

Comment 6 Alon Bar-Lev (RETIRED) gentoo-dev

2018-04-11 04:45:20 UTC

ccid is the driver for *your* smartcard, there are other drivers.