pcscd's nixos module by default returns policykit auth errors

[euank]

Describe the bug

On nixos-unstable, pcscd does not work out of the box.

Configuring services.pcscd.enable = true isn't sufficient for a regular user to use pcscd because it has policykit enabled by default, but no policy is included to permit a user to talk to it.

To Reproduce
Steps to reproduce the behavior:

1. configure services.pcscd.enable = true;
2. Insert a yubikey, try to interact with pcscd (i.e. with gpg2 --card-status)
3. Observe the following logs in sudo journalctl -u pcscd -o cat

   00000000 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
   00000032 auth.c:137:IsClientAuthorized() Process 2625 (user: 1000) is NOT authorized for action: access_pcsc
   

Expected behavior

Enabling pcscd, and perhaps adding your user to a group, should be sufficient to talk to it.

I was able to work around the issue by adding the following to my configuration:

  environment.systemPackages = [ pkgs.pcsclite ];

  security.polkit.extraConfig = ''
      polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
          subject.isInGroup("wheel")) {
          return polkit.Result.YES;
        }
      });
  '';

I think the pcscd module should similarly add a policykit rule that allows a specific group to access pcscd.

Notify maintainers

cc @peterhoeg

---

It seems pretty straightforward to fix this. I think the main question is just whether we add a new group for it (yes I think) and what we name it (smartcard? pcsc? something else?)

There's also both org.debian.pcsc-lite.access_pcsc and org.debian.pcsc-lite.access_card defined in ${pkgs.pcsclite}/share/polkit-1/actions/org.debian.pcsc-lite.policy, but for my use I only seem to need access_pcsc.

It's not clear to me if we want to setup polkit rules for both of those or not.

[tadfisher]

In my case, I receive that error, and the workaround results in:

Apr 29 12:43:35 euler pcscd[33855]: 00000000 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered

And indeed, pkaction doesn't list any org.debian.pcsc-lite.* actions. So I also had to add this to register the pcsclite actions:

{
  environment.systemPackages = [ pkgs.pcsclite ];
}

In order to get the polkit rule to work.

[colemickens]

Ok. This matches what I was finding lsat night while investigating my own pcscd not working. And I get the fix/workaround, but ... how did this work before? Was the module pulling pcsclite into the environment prior to the change to use upstream units, or?

I'm pretty confident that I was indeed using pc/sc and pcscd successfully just a few weeks ago?

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/home-manager-users-can-help-test-gnupg-2-3-1-beta/12692/12

[peterhoeg]

I need to dig some hardware out to try this out which will only be happening on the weekend. Can somebody throw together a quick workaround to at least make things work again until we get the proper fix in place?

[colemickens]

I've tested and the workaround provided seems to work fine: environment.systemPackages = [ pkgs.pcsclite ];. My Discourse reply has more notes on my testing methodology. I've flipped between setups many times today and feel pretty sure that the workaround and your fix yesterday, combined, unblocks things.

I guess the fix could be as simple as including the workaround in the module

[euank]

Yeah. I think including the policykit rule and adding pcsclite to system packages in the module is pretty reasonable.

The cupsd and libvirt modules both do something pretty similar already.

The main thing I'm less sure about is whether it merits a new group or not.

[thblt]

In my system, I don't need any changes in my config once I've modified pcscd.nix (in nixpkgs) to

systemd.packages = [ pkgs.pcsclite ];

instead of

systemd.packages = [ (getBin pkgs.pcsclite) ];

I still need to reboot to bee 100% sure, though.

I don't really understand what this change implies, but notice that pcsclite polkit rules all have

<allow_active>yes</allow_active>

which means that any active user (with an active session) can perform these actions unauthenticated. So we shouldn't need to define rules, as @euank did.

[thblt]

Now, actually I really need the environment.systemPackages line, but I guess it can just be added to pcscd.nix.

[euank]

Indeed, you're right @thblt, I must have added the policykit rule and environment package at the same time, and got confused about which of those changes resolved my problem.

Thanks for clarifying!

For me, adding it to systempackages by itself seems to be enough, and I totally misdiagnosed the issue. Do you want to make a PR for that?

[thblt]

@euank I'm working on it, just fighting pinentry a bit but it should be coming :)

[colemickens]

(If you're fighting pinentry and you've been messing with gpg-agent make sure you kill gpg-agent and restart it via systemctl --user, otherwise gpg starts it itself, often not very correctly.)

[thblt]

@colemickens Thanks! I switched to the gtk2 pinentry "flavor" for now,it was something between gnome3 pinentry and my DE (sway).

[colemickens]

I suspect that's because that exact sort of change would've triggered a restart of the gpg-agent unit; gnome3 pinentry should works fine with sway.

Anyway, glad it's working and that y'all confirmed @tadfisher's work-around.

[maxdiebold]

This solution worked for me previously, but after a recent update I'm getting the same errors stated initially:

00000000 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
00000032 auth.c:137:IsClientAuthorized() Process 2625 (user: 1000) is NOT authorized for action: access_pcsc

With and without the polkit rule, and pcsclite has remained added to my systemPackages.

[isiko]

Same for me

[averagebit]

Ran into the same issue recently.

Adding pcscliteWithPolkit.out to environment.systemPackages resolved it for me on unstable.

[isiko]

Adding pcscliteWithPolkit.out to environment.systemPackages resolved it for me on unstable.

Same