-
-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pcscd - apache - NOT authorized for action: access_pcsc #26
Comments
I propose you to report the problem to Fedora. |
Ok, this is the report I wrote six days ago. So far no comments, which is rare: 315567 @ Fedora Forum Perhaps I can help searching for the cause somehow but I don't know where to start. What triggers Edit: Just made a program that connected to the file system socket and got the same result (but with my userid), so it seems apache is really trying to connect to that socket too. Odd. I take it you don't know of any situation when that would make sense? |
pcscd is the daemon. The client is My first guess is that apache is configured to use a smart card to store a TLS private key. Maybe through a PKCS#11 library like OpenSC. You will have to find why apache is, indirectly, using |
So what was the problem exactly? |
No idea. I added more info to my thread on the Fedora site (but it's not been published yet) and closed the ticket here since it's very unlikely a problem in I've used
|
I guess |
Neither do I but for some sort of completeness I'll include the output from Startup:
Connection attempt:
Br, |
Who are the processes 43486 and 43507 I see in your log? apache processes? |
I haven't confirmed it, but I'd say yes since your code checks the owner of the pid, and user 48 is apache and it also got my userid right when I made a small test program to connect to the socket. I've noticed that the pcscd log entries seems to only be comming in between 06:00 and ~12:10 which seems to suggest that there's something going on my server in the morning hours but I haven't figured out what. The pcscd log entries don't match (in time) any other log entries (for apache or others). |
I managed to narrow it down to a
All users but Edit: |
I guess wget is using a PKCS#11 library like OpenSC and OpenSC is then talking to PC/SC. |
If only I could understand why and what I need to reconfigure to make it stop. :-(
|
You should have a look at Polkit. I never used Polkit myself so I can't really help. The support was added for RedHat. |
Thanks, I got that to work by changing |
|
Ok, I can see how that can be handy if requested. curl seems to have a command line option to specify a client certificate with a PKCS#11 URI that may direct it to a smart card if I understand it correctly. wget fails getting access - but still works just fine. |
There is now a fresh build of GnuTLS (not on master yet) that fixes this issue! Thanks for your help! It took some time to narrow this down :-) |
@TedLyngmo I am also seeing:
When running a simple How did you fix it in the end ? Its not clear from the thread here. |
@udf2457 Sorry for the late reply. The problem was in The command you are using still triggers the log messages for unauthorized users for me too, which I'm guessing is correct. So, with this
I can run |
Thanks for the analysis. |
Try to use a (CCID) class driver if a specific driver fails to use the reader. This may happen if both acsccid and ccid drivers are installed. acsccid should be used first. This feature was present in src/hotplug_libudev.c but not yet in src/hotplug_libusb.c. " ccid vs acsccid - miss probing #26 " acshk/acsccid#26
After upgrading from Fedora 25 to F26
/var/log/messages
started getting a pair of these lines 1-2 times a minute:User 48 is apache. I never saw these messages before the upgrade and I wonder what apache possibly could want with pcsc?
Any ideas what could be causing this?
Version: pcsc-lite.x86_64 1.8.22-1.fc26
The text was updated successfully, but these errors were encountered: