FS#77799 - [pcsclite] split the package, so that only the daemon would depend on polkit?

Attached to Project: Community Packages
Opened by Neven Sajko (Neven) - Thursday, 09 March 2023, 21:55 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:09 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

A few days ago Polkit support was enabled in the pcsc-lite package, which also required adding polkit to package dependencies. However, checking the files in /usr/bin and /usr/lib owned by pcsc-lite with ldd seems to indicate that the pcscd daemon is the only thing that actually depends on polkit.

My situation is that I use KeePassXC, but don't use smartcards (who does, anyway?).

Would it be possible to split the pcsclite package, so that the daemon wouldn't taint the other parts by depending on Polkit?
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:09 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/pcsclite/issues/1
Comment by Balló György (City-busz) - Thursday, 09 March 2023, 22:15 GMT
How can you use your system without polkit? You can't even do shutdown as a normal user without it. :) If you use a desktop environment with KeePassXC, then you probably already need polkit.
Comment by Neven Sajko (Neven) - Friday, 10 March 2023, 00:47 GMT
Yes, I'm OK with admin rights being required for shutdown, seems to make sense to me that unprivileged users shouldn't be able to mess with the hardware, especially to such a great extent as with shutdown.
Comment by Jan Alexander Steffens (heftig) - Friday, 10 March 2023, 03:52 GMT
> (who does, anyway?).

"Smartcards" also covers the modern USB keys like YubiKeys.

FTR, Polkit support was added because it seemed to help the Yubico Authenticator from Flathub connect reliably.
Comment by Balló György (City-busz) - Friday, 10 March 2023, 10:15 GMT
> Yes, I'm OK with admin rights being required for shutdown, seems to make sense to me that unprivileged users shouldn't be able to mess with the hardware, especially to such a great extent as with shutdown.

If you don't want normal users to shutdown the system, you can tweak polkit rules to achieve this.

pcscd depends only on a library (libpolkit-gobject-1.so.0), so I think we shouldn't split the pcsclite package just for that. It might be possible to split the polkit package into polkit and polkit-libs, since the polkit daemon is probably not a requirement for the libs, but I would prefer to don't do that, and leave everything as is.
Comment by Igor Saric (karabaja4) - Monday, 13 March 2023, 21:59 GMT
Why are we assuming everyone's use case is the same and everyone should use polkit? I also run a polkit-free Arch system with no issues.

On servers and server-ish systems, I'd also prefer not having polkit installed.
Comment by Martin Jost (jussty) - Monday, 17 April 2023, 14:51 GMT
Same here, having massive problems now with an ArchWSL setup (I know, officially unsupported) due to unconfigured polkit/systemd. I am using YubiKeys bridged through with usbipd. Had to downgrade and pin 0.9.9-2 as a first workaround, but of course this will not last.
Comment by Vladimir Stoiakin (VStoiakin) - Tuesday, 18 April 2023, 08:41 GMT
> (who does, anyway?)

I use NitroKey Pro 2 with a physical smartcard inside and RuToken which emulates a smartcard to be driver-less. Both are modern devices.

For me the main problem that now I have to add PolKit + DBus to my initrd to unlock a LUKS2-encrypted root partition with a PKCS#11 token. There is no much sense to use PolKit in initrd IMHO. So I think the right solution would be to add a runtime option to start `pcscd` with PolKit checks disabled, so it can be used without PolKit in initrd and with PolKit in the main system. And such an option would make PolKit an optional dependency and help with this issue.

EDIT: it's already there: https://github.com/LudovicRousseau/PCSC/commit/a9c7c0886acfb6ca4cae1426a623a8cff2e9846c

Loading...