-
-
Notifications
You must be signed in to change notification settings - Fork 13.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pcscd's nixos module by default returns policykit auth errors #121121
Comments
In my case, I receive that error, and the workaround results in:
And indeed, {
environment.systemPackages = [ pkgs.pcsclite ];
} In order to get the polkit rule to work. |
Ok. This matches what I was finding lsat night while investigating my own pcscd not working. And I get the fix/workaround, but ... how did this work before? Was the module pulling pcsclite into the environment prior to the change to use upstream units, or? I'm pretty confident that I was indeed using pc/sc and pcscd successfully just a few weeks ago? |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/home-manager-users-can-help-test-gnupg-2-3-1-beta/12692/12 |
I need to dig some hardware out to try this out which will only be happening on the weekend. Can somebody throw together a quick workaround to at least make things work again until we get the proper fix in place? |
I've tested and the workaround provided seems to work fine: I guess the fix could be as simple as including the workaround in the module |
Yeah. I think including the policykit rule and adding pcsclite to system packages in the module is pretty reasonable. The cupsd and libvirt modules both do something pretty similar already. The main thing I'm less sure about is whether it merits a new group or not. |
In my system, I don't need any changes in my config once I've modified pcscd.nix (in nixpkgs) to
instead of
I still need to reboot to bee 100% sure, though. I don't really understand what this change implies, but notice that pcsclite polkit rules all have
which means that any active user (with an active session) can perform these actions unauthenticated. So we shouldn't need to define rules, as @euank did. |
Now, actually I really need the environment.systemPackages line, but I guess it can just be added to pcscd.nix. |
Indeed, you're right @thblt, I must have added the policykit rule and environment package at the same time, and got confused about which of those changes resolved my problem. Thanks for clarifying! For me, adding it to systempackages by itself seems to be enough, and I totally misdiagnosed the issue. Do you want to make a PR for that? |
@euank I'm working on it, just fighting pinentry a bit but it should be coming :) |
(If you're fighting pinentry and you've been messing with gpg-agent make sure you kill gpg-agent and restart it via |
This makes sure that the polkit policies for pcsclite are correcly loaded.
@colemickens Thanks! I switched to the gtk2 pinentry "flavor" for now,it was something between gnome3 pinentry and my DE (sway). |
I suspect that's because that exact sort of change would've triggered a restart of the gpg-agent unit; gnome3 pinentry should works fine with sway. Anyway, glad it's working and that y'all confirmed @tadfisher's work-around. |
nixos/pcscd: ensure polkit rules are loaded (fix #121121)
This solution worked for me previously, but after a recent update I'm getting the same errors stated initially:
With and without the polkit rule, and |
Same for me |
Ran into the same issue recently. Adding |
Same |
Describe the bug
On nixos-unstable, pcscd does not work out of the box.
Configuring
services.pcscd.enable = true
isn't sufficient for a regular user to use pcscd because it has policykit enabled by default, but no policy is included to permit a user to talk to it.To Reproduce
Steps to reproduce the behavior:
services.pcscd.enable = true;
gpg2 --card-status
)sudo journalctl -u pcscd -o cat
Expected behavior
Enabling pcscd, and perhaps adding your user to a group, should be sufficient to talk to it.
I was able to work around the issue by adding the following to my configuration:
I think the pcscd module should similarly add a policykit rule that allows a specific group to access pcscd.
Notify maintainers
cc @peterhoeg
It seems pretty straightforward to fix this. I think the main question is just whether we add a new group for it (yes I think) and what we name it (smartcard? pcsc? something else?)
There's also both
org.debian.pcsc-lite.access_pcsc
andorg.debian.pcsc-lite.access_card
defined in${pkgs.pcsclite}/share/polkit-1/actions/org.debian.pcsc-lite.policy
, but for my use I only seem to needaccess_pcsc
.It's not clear to me if we want to setup polkit rules for both of those or not.
The text was updated successfully, but these errors were encountered: