[Pcsclite-muscle] [PATCH] pcsc-lite & polkit: allow auth_admin

Nikos Mavrogiannopoulos nmav at redhat.com
Fri Dec 5 10:11:32 UTC 2014


On Thu, 2014-12-04 at 16:07 +0100, Ludovic Rousseau wrote:

> >> Should I revert the patch?
> > The drawback of that approach is that each accept()ed session will be blocked
> > until the password is entered and sent by the user. If the user goes for lunch
> > without entering a password that session will be blocked from processing any
> > other requests. I cannot predict how that would affect typical pcscd usage.
> > I think that it would be better for that change to be combined with using polkit
> > asynchronously.
> IsClientAuthorized() is called only from ContextThread(). This code is
> running in a thread dedicated to the PC/SC client (in fact dedicated
> to a SCardEstablishContext context). So blocking this thread should
> not affect the other pcscd tasks.

I remember I have practical issues with polkit authentication enabled,
and that why it was explicitly disabled. It's been some time and I may
be wrong, but you may know better whether an application (e.g. a gnome
component) could potentially use a single pcscd connection for multiple
requests sent in parallel. If Stanislav has, however, tested such use
cases and they cause no issue I have no problem with the change.

> Stanislav Brabec wrote:
> Well, We can keep the patch and change defaults. Then the default
> configuration can never cause delays, but users of ssh remote sessions
> and so will still be able to authorize after admin's conscious changes
> of configuration.

I find that wrong. The policy should not be used to correct a software
issue.

regards,
Nikos





More information about the Pcsclite-muscle mailing list