[Muscle] Re: [opensc-devel] OpenCT and limiting us of the reader to
the console user only
Douglas E. Engert
deengert at anl.gov
Thu Oct 19 12:25:08 PDT 2006
Ludovic Rousseau wrote:
> On 19/10/06, Andreas Jellinghaus <aj at dungeon.inka.de> wrote:
>
>> Douglas E. Engert wrote:
>> > Is there any way to have OpenCT limit access to reader devices to
>> > the user logged in at the console?
>>
>> sure.
>> chgrp scard /var/run/openct
>> and configure some pam module for login only,
>> so it adds the user to group scard.
>>
>> that way only those who used login have group scard and can
>> use openct, while those using ssh, kdm, whatever can not.
>>
>> > I sent a similiar note to the muscle list asking about PCSC.
>>
>> sorry, I have little clue about pcsc. maybe ludovic knows?
>> I guess you can set permissions on the pcsc sockets too.
>
>
> I also proposed to change the permissions on the /var/run/pcscd.*
> files. Your idea of dynamically add a user in a particular group is
> very good.
I think that this idea was droped in 2000 or so because of the ability
of a user once in a group creating a program or script with the
set group bit and then using this program at a later time to
access the device when they should not.
I believe hal was trying to address that problem.
> I would prefer "smartcard" as the group name to be more
> explicit.
Ubuntu is using scard as a group with OpenCT.
>
> Do you know a PAM module that does that?
pam_console was to change permisions on files, don't know
of the one to add groups to a session.
>
> Bye,
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Muscle
mailing list