On Wed, 2025-03-26 at 16:42 +0100, Ludovic Rousseau wrote:
Le 14/06/2019 à 21:43, Ludovic Rousseau a écrit :
Le 14/06/2019 à 18:02, Kevin Locke a écrit :
pcscd currently runs as root. This is a security risk (as pointed out
in the SECURITY file shipped with pcscd). It was previously fixed in
Bug #606142 and regressed back to root when systemd support was added
(setgid was removed in 798d03c).
Is there a reason that pcscd needs to run as root, rather than a normal
user with access to the necessary device files? If so, could the
rationale be documented in the SECURITY file? If not, what would be
required to run as a non-root user and would you accept patches that
make the necessary changes?
You are completely right.
It is a known task on my TODO list. See https://salsa.debian.org/rousseau/PCSC/issues/10
The issue https://salsa.debian.org/rousseau/PCSC/issues/10 was about restricting pcscd accesses using systemd hardening.
This issue is fixed in the latest release 2.3.2. https://blog.apdu.fr/posts/2025/03/new-version-of-pcsc-lite-232/
That's wonderful! Those changes look great and 2.3.2-1 is working
well for me. Thank you for working on it and for posting this update!
But pcscd is still running as root.
The next step is to run pcscd as a normal user.
This change is on my todo list.
Bye, and thank you for your patience
That'll be great. I really appreciate the restrictive sandboxing in
the meantime.
Thanks again for your work on this!
--
Cheers,
Kevin
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)