diff options
author | Sumit Bose <sbose@redhat.com> | 2015-10-30 16:29:31 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-11-20 14:56:34 +0100 |
commit | 3be9e26dcd169d44ae105f1b8a0674464c700b77 (patch) | |
tree | 5b7a6c35bd3a9b2b1e2dbf104fb6e60e69fafd50 /contrib/sssd-pcsc.rules.in | |
parent | aedc71fe8360a51785933523f14bb5c4e7e2c38b (diff) | |
download | sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.tar.gz sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.tar.xz sssd-3be9e26dcd169d44ae105f1b8a0674464c700b77.zip |
p11: allow p11_child to run completely unprivileged
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.
If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.
Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'contrib/sssd-pcsc.rules.in')
-rw-r--r-- | contrib/sssd-pcsc.rules.in | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/contrib/sssd-pcsc.rules.in b/contrib/sssd-pcsc.rules.in new file mode 100644 index 000000000..31d2dbe4f --- /dev/null +++ b/contrib/sssd-pcsc.rules.in @@ -0,0 +1,15 @@ +// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as +// unprivileged user '@SSSD_USER@' to allow access to the Smartcard via pcscd. +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_card" && + subject.user == "@SSSD_USER@") { + return polkit.Result.YES; + } +}); + +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.user == "@SSSD_USER@") { + return polkit.Result.YES; + } +}); |