Delegate WinSCard calls to another library (for a RDP server for example) #161
Comments
Maybe another approach for discussion: A multi-"user" and/or client/server thing. The UNIX tun/tap networking driver is a great example. With this way, we can not only have one singular "source of truth" for smartcards, but multiple at the same time.
Of course, when the connection between the host application and the PCSC daemon becomes closed/invalid, the smartcard is basically "unplugged". The
When done with any form of When doing IPC over sockets (see below) there would not be any executable code that is being loaded in any way to the suid process, except the default
Since PCSC does IPC over UNIX sockets, why not just the same thing again?
My opinion is, that when the current IPC is "fast enough", just reuse the existing approach.
IMO, Absolutely. Maybe we can reuse the already existing socket for normal client access, this would not need any configuration change whatsoever. References: |
|
@boomer41 I don't know RDP details and I have a question: the session visible through RDP is the same as the session on the console? On a Unix system you can have as many remote connections as you want and each connection is different on the server (for example using X11 remote connection or ssh connection). |
Yes and no. It depends on the edition of Windows (Client/Server) and configured settings. (Terminal-)ServersEvery user can have multiple concurrent sessions. Clients / Non-Server-EditionOn clients (Windows 10/11), only one concurrent session is possible at one time. Scenario AWhen User A is connected via Console, and user B connects via RDP, User A's session is disconnected and A gets sent to the lock screen. Scenario BWhen User A is connected via Console, and the same user A connects via RDP, the console screen is sent to the login screen and the same session is now displayed via RDP. Visual material on how RDP works on Windows Clients: https://youtu.be/LmnMRCixwLU?si=EkUM0XlSK-WLzbF0&t=341 |
|
Thanks for the explanations @boomer41. I asked because you proposed to inject the reader (connected on the client side) in the pcscd running in the server. Is this the expected behaviour? |
|
IMO it should only see the readers connected to it's session or same uid. It would be a mess of confusion if it worked otherwise, and security is also problematic. For each user session on terminal servers it would be better to start a PCSC server per session/user (with disabled physical smart cards), and have the PCSC socket be set as an env variable. Terminal servers are, imo, a special case where such a setup seems reasonable. systemd --user can do such things already. We could also have some UID filtering for a global PCSC process. Physical cards would behave unchanged (or visibility can be controlled bei uid, gid, too? Configs are our friend.) Sorry for the amount of edits. Mobile GitHub is trolling hard ATM. |
|
That would be convenient. For example, replacement via LD_PRELOAD does not work with chromium sandbox. |
|
xrdp maintainer here. LD_PRELOAD / LD_LIBRARY_PATH are a bit broken in general for terminal servers as there are privileged executables that can remove them when a session starts (see e.g. Debian BTS #711623). We can come up with workarounds, but you can see that this isn't ever going to be maintenance free. One PCSC daemon per session/user is I think desirable from a security perspective as it provides strong separation between users without needing to explicitly test it. For the particular user-case I'm concerned with, redirecting I can't see any particular reason to make the daemon per-user rather than per-session (at least as far as the terminal server use-case goes). It might make systemd integration a little easier, but is that a good enough reason to add the extra complexity in to the daemon itself? Am I missing something? |
|
Thanks for your comments @matt335672 & @AndreyBarmaley
|
|
Thanks @LudovicRousseau To be clear, are you proposing |
@matt335672 I was thinking about another library using the same WinSCard API. So no need to define a protocol to talk over a socket. |
|
Perhaps rather than wholesale switching between PC/SC implementation, it could be possible to aggregate them? Something similar to how p11kit. Different PC/SC providers would register themselves globally in the system, and it would be up to each library to decide when to provide actual readers to the multiplexer or not. |
|
@CendioOssman I don't think we need a multiplexer here. A redirector should be enough. The readers that should be visible to an application are either:
Is there a use case where we need to mix these 2 options? |
|
I don't think there is myself. Also, it's not clear to me how the permissions would work in a case like this. |
|
It's probably not very common, but I can think of two scenarios:
|
|
On Windows, such decision is the role of |
Very good point. |
|
Not necessary, this is done by the system automatically (at least from a PC/SC user point of view). I guess that's why EDIT: you were probably thinking from the RDP server point of view here and not the regular PC/SC application consumer. In that case |
|
After reading through this, sure, I think LIBPCSCLITE_DELEGATE can work. I think most important here is to agree on something. I assume LIBPCSCLITE_DELEGATE would look like LIBPCSCLITE_DELEGATE=/usr/lib/xrdp/libpcsc_xrdp.so or the like. I guess libpcsclite would lookup all these functions on startup. This sounds a bit like libglvnd. |
|
I'm still cautious about limiting us to just the one library, but if we're going the |
|
@jsorg71 you are right. It sounds like libglvnd (I did not know this project) @CendioOssman multi-arch systems should be supported if you use |
|
Hey Pierre, I don't want to be dismissive of your concerns or anyone's concerns but I also feel if this gets too complicated nothing will get done. A multiplex design now seems complicated and it seems it could be done in the delegate anyway. We(xrdp) have had this crappy PCSC redirection problem since the beginning with users asking for status with no light ahead until now. Also important is that Ludovic seems to want to do this and finally to have pcsclite support for this use case is just miles ahead of what we had. |
|
I'd just like to pick up on the multi-arch conversation and the delegation. This comment is focussing on deployment rather than implementation, so I'm thinking it's mainly of interest to Pierre. In particular, I'm thinking of RHEL and the derivatives. I don't have any great love for Red Hat after their actions this year, but we have a significant following using Alma and Rocky. When I say RHEL below, I'm including the derivatives. On RHEL, PCSC-Lite is part of the BaseOS and xrdp is part of EPEL. Consequently, PCSC-Lite isn't updated for the lifetime of the system, but xrdp will be updated much more quickly. PCSC-Lite is on v1.9.4 for RHEL 9, and I believe it will stay on that version until 2032, if previous behaviour is anything to go by. This means to support some operating systems, we need a way to delegate the other way round, at least until older versions of RHEL are no longer in use. We can do this as follows:-
On systems with a compatible version of PCSC-Lite we just set On systems without a compatible version of PCSC-Lite :-
When any application using PCSC-Lite starts, the xrdp library will be preferentially loaded. This will detect whether it is running as part of a terminal session, and if not it will redirect to the standard library using the This approach won't support multi-arch without more work. |
|
Yes, whatever comes out of the discussion here will only be for new systems, and a fallback will always be needed. It would be nice if |
|
This would be great for using the PC/SC services from windows inside WSL linux too! |
|
Good idea @rhoog-ine. |
|
Hello, A sample library is provided in https://github.com/LudovicRousseau/PCSC-debug/blob/master/src/libfake.c What you have to do:
Example: The sample fake library returns @boomer41 @matt335672 @CendioOssman @Maxhy @jsorg71 @rhoog-ine tell me is this implementation works for you. |
|
I think this is a great generic mechanism. It would also allow doing virtual card stuff like |
|
@rhoog-ine the delegate library can return multiple readers for |
|
The support of I will regularly rebase this branch over the master branch to keep it up-to-date. |
|
@LudovicRousseau - sorry it's taken me a few days to get here. I've got a stub library in an xrdp build which implements the libpcsclite.so API. It's not complete yet, but with your pcsc-debug library I can use it to return status on a Yubikey with a couple of slots set up:- $ export LIBPCSCLITE_DELEGATE=/usr/local/lib/xrdp-pcsc/libpcsclite.so.1
$ yubico-piv-tool -a status
Version: 5.2.4
Serial Number: 10664738
CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410b7c842dcdb63f0b7746242695fe12856350832303330303130313e00fe00
CCC: No data available
Slot 9a:
Algorithm: ECCP256
Subject DN: CN=mjb
Issuer DN: CN=mjb
Fingerprint: 8b36bfac9aba036c1be05e066fbe065b6fc57324c63ac3e3bdc9212c6c0ca371
Not Before: Oct 22 11:38:45 2023 GMT
Not After: Oct 22 00:00:00 2024 GMT
Slot 9c:
Algorithm: RSA2048
Subject DN: CN=mjb
Issuer DN: CN=mjb
Fingerprint: 9d36789cf72731134bad81086a49232eec3cde682572064d502e5007a3ec6f0f
Not Before: Oct 22 11:48:13 2023 GMT
Not After: Oct 22 00:00:00 2024 GMT
PIN tries left: 3
That's good enough for me at this stage. Looking at the code, I can see it's implemented as I expected, so I see no reason why this shouldn't work for us. I can see how multilib can be supported for xrdp sessions:-
|
|
Thanks @matt335672 for the feedback. You can name you library |
|
Hello All, You can get an archive of the source code from https://pcsclite.apdu.fr/files/pcsc-lite-2.0.3-delegate.tar.bz2 |
|
That's a good idea, and thanks for thinking of us. At the moment we're looking at using the redirector for user sessions only (i.e. after login), so that restriction won't affect us there. I don't think a lot of desktops work if you log in as root anyway. An xrdp implementation of Windows hello or similar won't need |
LudovicRousseau
changed the title
|
Do I understand correctly, that setting the environment variable I have too little knowledge of Linux' security model, but I would think that the typical attack model asumes that simply modifying an environment variable by an attacker should not be sufficient to access critical user assets. |
|
Yes, you are right @frankmorgner. Using That is one reason why this change is not yet in production. It has some "problematic" effects and we need to discuss. If an attacker is able to inject an environment variable I think the security is already lost. So |
|
If we're comparing LIBPCSCLITE_DELEGATE to LD_PRELOAD, maybe the same security should apply? |
|
Exact @boomer41. I already added this kind of test in LudovicRousseau/PCSC-debug@f3edd3f Do you think the code should do more checks? If yes then what? |
glibc uses the auxiliary vector to see if it shall run in secure mode [1]. If it is set, the "unsecure environment variables" are simply removed, effectively ignoring them [3]. [1] https://elixir.bootlin.com/glibc/glibc-2.39.9000/source/sysdeps/unix/sysv/linux/dl-parse_auxv.h#L46 |
|
Alternatively, secure_getenv() [1] may be used. Edit: secure_getenv() source in [2] [1] https://man7.org/linux/man-pages/man3/secure_getenv.3.html |
|
I'd be happy with that @boomer41. It shouldn't affect normal uses of |
|
@LudovicRousseau - can I PM/email you somehow about a potential security issue related to this discussion? I'm on Gitter if that helps. |
|
@matt335672 you email is available from https://blog.apdu.fr/articles/about_me/ |
|
Thanks. Email sent from domain vocalistic.com |
|
DLL Hijacking is known for quite some time and applications that don't want that, have taken counter measures against it. The concern I have, would be that BTW, would it be possible for an attacker running with user's rights to replace the system's |
@frankmorgner If you define So it is already possible capture all the APDUs using a fake pcscd. This mechanism was already used by some RDP servers but it is not working fine (the protocol is not defined, not everything is possible, etc.) |
|
Hmm, OK, not sure if I like it... |
|
Another way to consider the security is asking:
In general if a user can change their environment and write to disk then they can shoot themselves in the foot. |
Because of that, my personal recommendation is to use |
Done in LudovicRousseau/PCSC-debug@721c264 pcsc-lite already uses |
|
As said above, DLL hijacking is known for a long time and in particular programs know how to prevent |
I appreciate your concern for security, so don't mean this to sound argumentative. Thinking out loud:
|
|
Thinking about it a bit more this morning, I think if your threat model is the user account is already compromised (in order to set env) then LIBPCSCLITE_DELEGATE and LD_PRELOAD are red herrings. In that compromised environment the running process can be attached to with a debugger and read/write content intercepted. You can't help a user that is already compromised. Show me I'm wrong. :) |
|
Maybe this development would make it easier to implement what is asked here: https://stackoverflow.com/questions/77112999/how-to-mount-pcsc-from-macos-to-linux-docker-container |
|
Good point @martinpaljak. Someone would have to write a conversion between pcsc-lite and macOS PCSC framework since the APIs are not exactly the same (different types: |
|
Thanks everybody for your participation in the discussion. |
Problem
In some cases it is required that the WinSCard API (implemented by
libpcsclite.so.1) is redirected to another library.Proposal
libpcsclite.so.1reads an environment variable (likeLIBPCSCLITE_DELEGATE) to redirect all the function calls to the other library defined byLIBPCSCLITE_DELEGATE.Open questions
Please add your comments/questions/etc.
The text was updated successfully, but these errors were encountered: