FedoraForum.org - Fedora Support Forums and Community
Results 1 to 13 of 13
  1. #1
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Question F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Hi!

    Whenever a user is using wget to fetch a webpage via https, I'll get in messages like this in /var/log/messages:

    Code:
    2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 03445385 auth.c:137:IsClientAuthorized() Process 48952 (user: 48) is NOT authorized for action: access_pcsc
    2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 00000279 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
    This started after upgrading to F26 (or possibly F25 which was installed for a few days). I have no idea why wget (via one of the libraries involved) would try to access the smart card reader without the user telling it to. Even though it fails getting access to a reader (which I've currently got none), the https pages are received just fine.

    curl works without triggering these kinds of messages.

    Is there anything I could do to stop wget https requests from trying to access a smart card reader (unless told to)? I haven't changed any configuration for wget or the libs so they should be standard F26.

    I did however add two polkit rules to grant everyone smart card access to stop the log messages:

    Code:
    # cat /usr/share/polkit-1/rules.d/org.debian.pcsc-lite.rules
    
    polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_card" &&
            action.lookup("reader") == 'name of reader' &&
            subject.active ) {
                return polkit.Result.YES;
        }
    });
    
    polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
            subject.active ) {
                return polkit.Result.YES;
        }
    });
    That stopped the log messages but I can't keep it like this if I decide to connect a smart card reader. Any ideas what to do to solve this properly?

    Br,
    Ted
    Last edited by Ted Lyngmo; 12th October 2017 at 08:46 PM. Reason: typo

  2. #2
    Join Date
    Jul 2016
    Location
    United States
    Posts
    9

    Cool Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Did you create a Bugzilla entry for this? We're seeing it as well. Quite annoying as it really spams the log and with a misleading message at that! Good find in at least where it's happening!

  3. #3
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Thanks, I appreciate it - it took some digging :-)

    No, I haven't filed a bugreport. I wasn't sure it was a bug or just an anomaly in my system and I'm also not sure what to write in the report since I'm unsure which part of the chain that's to blame. :-/

    It somehow feels good to not be alone with this though.

    Br,
    Ted

  4. #4
    Join Date
    Jul 2016
    Location
    United States
    Posts
    9

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Try selecting polkit and then any of the maintainers can reassign accordingly.

  5. #5
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit


  6. #6
    Join Date
    Jun 2005
    Location
    Montreal, Que, Canada
    Posts
    4,496

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Is wget installed in /bin/wget? /bin is also /usr/bin

    which wget for me shows /bin, that is why I asked?

    Author of wget announced a new version yesterday. Its available via tar or zip download
    It will appear within Fedora in a day or three.
    Leslie in Montreal

    Interesting web sites list
    http://forums.fedoraforum.org/showth...40#post1697840

  7. #7
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Code:
    % which wget
    /usr/bin/wget
    
    % ls -il /usr/bin/wget /bin/wget
    150210904 -rwxr-xr-x 1 root root 552584 Jun  2 12:17 /bin/wget
    150210904 -rwxr-xr-x 1 root root 552584 Jun  2 12:17 /usr/bin/wget
    I actually cloned the latest wget an hour ago but the diff (against 1.19.1-3.fc26 - commit 6620c5156f363036079d413bfa567e9d871bb30d) didn't show me anything that should affect this. I may have missed it, but I don't think so.

  8. #8
    Join Date
    Jun 2005
    Location
    Montreal, Que, Canada
    Posts
    4,496

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    the /bin is identically the same directory as /usr/bin
    ln -s is the reason

    ls -l /
    ...
    lrwxrwxrwx. 1 root root 7 Aug 2 19:32 bin -> usr/bin
    ...

    Apparently, the fixes were mostly about security leaks and holes.
    Leslie in Montreal

    Interesting web sites list
    http://forums.fedoraforum.org/showth...40#post1697840

  9. #9
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Quote Originally Posted by lsatenstein
    the /bin is identically the same directory as /usr/bin
    ln -s is the reason

    ls -l /
    ...
    lrwxrwxrwx. 1 root root 7 Aug 2 19:32 bin -> usr/bin
    ...
    Hmm ... I'm not sure what you're getting at. wget asks for SC access whatever path I use to start it. Please clarify.

    Apparently, the fixes were mostly about security leaks and holes.
    The complete list:
    Code:
    % git log --oneline 6620c5156f363036079d413bfa567e9d871bb30d..
    ba6b44f6 Fix heap overflow in HTTP protocol handling (CVE-2017-13090)
    d892291f Fix stack overflow in HTTP protocol handling (CVE-2017-13089)
    bec4c215 Update for release 1.19.2
    27d78d94 Avoid unnecessary UTF-8 encoded fallback (trivial change)
    60f03342 Add GNU extensions to .netrc parsing
    6f3b9959 Bail out on unexpected 416 server errors
    c451eec1 Add gzip Content-Encoding decompression
    b543dfe7 Add --compression option
    08ed2a55 Adjust Extension based on Content-Encoding
    951d3e4c Document gperf as a requirement
    3ad3b3e3 * src/url.c (url_scheme): Use ASCII version of strncasecmp
    5fb6b6bd Fix misuse of strncasecmp
    f42229b1 Fix python test suite for GnuTLS 3.5.12+
    21154bdc Check for 304 response before applying --adjust-extension
    ae293c94 Fix buffer overflow in Public Key Pinning
    407c1f99 * doc/wget.texi: Mention --no-config
    86b46a34 * testenv/Test-recursive-basic.py: Check crawled files
    5d4ada1b Fix two Metalink tests if $HOME is changed
    876def8e Add command line option to disable use of .netrc
    f8c3df1f Fixed getting of credentials from .netrc
    17960b57 Added tests for HTTP authentication using credentials from .netrc
    40c0d30f Fix Test-https-badcerts.px
    e2c70257 * util/createcerts.sh: Fix double equal (syntax-check)
    269fb620 Fix Test-https-badcerts.px to work with GnuTLS
    c08778ae New shell script to create the certs and keys required for TLS tests
    297c1e2a Fix HTTPS testing for stricter OpenSSL
    936efc35 * src/iri.c (idn_encode): Better IDNA 2003 compatibility
    11d3de74 * .gitlab-ci.yml: Also test OpenSSL build
    35d5b67c * .gitlab-ci.yml: Remove installation of texlive
    da50a1ec Add certs/wotca.pem to avoid temp. file creation
    1068ca07 * cfg.mk: Exclude ^tests/certs/.* from syntax-check
    0666e0f3 * po/POTFILES.in: Remove spider.c (syntax-check)
    0d9f8280 * tests/Test-https-selfsigned.px: Add newline at EOF (syntax-check)
    17f0e16e Removed all uses of temp files. Added needed files to GIT
    cc74f8b7 Made CRL related files in the repo, instead of trying to generate them
    2894a371 Cleanup on exit in Test-https-*.px
    4669ba5e Auto-generate interca.conf and rootca.conf
    b5c2d083 Fix path and VPATH issues of new https/TLS tests
    466afc62 Check for test server name resolution in tests
    f68d0016 * tests/Makefile.am: Enable Test-https-badcerts again
    ffe75d08 Fix WgetFeature.pm to allow multiple required features
    9aa89485 * .gitlab-ci.yml: Add wgettestingserver to /etc/hosts
    5337b94c * tests/SSLServer.pm: Check for IO::Socket::SSL
    a26e6f35 * tests/Test-https-*: Change server port to <= 32767
    b9fb74dd Move https test server ports from >32767 to <= 32767
    3132049a * tests/Makefile.am: Add SSLTest.pm and SSLServer.pm to EXTRA_DIST
    c0c42da6 * tests//Makefile.am: Disable Test-https-badcerts.px
    888cc82c Add Gitlab CI (Debian)
    fce1b689 * .travis.yml: Use trusty for libidn2-dev
    580067d1 * tests/certs/test-ca-key.pem: Add newline at EOF
    5c4cc011 Add static HOSTSALIAS file
    2a962494 Added new tests for SSL
    0b41c754 Mention TLSv1_1 and TLSv1_2 as secure-protocol values in help
    c4a2b2e7 * src/http.c (gethttp): Support Wayback Machine's X-Archive-Orig-last-modified
    f6376ac0 Added new tests for SSL
    ac519c04 Added new tests for SSL
    56c78c4b * src/utils.c: Remove non-portable __builtin_unreachable()
    0ec46cb1 Skip iconv() usage if HAVE_ICONV is not defined
    67cb37ce Mention 'bash' for executing ./bootstrap
    0004d3ec * bootstrap.conf: Make 'sed' options more portable
    92bfe2a2 Fix charset transcoding issue for non-reversible codepoints
    fc2f4233 * src/iri.c: Fix WIN32 idn2_free, forgotten code
    b2c38d33 * src/init.c: Set flstats correctly when using WGETRC env var
    6ef493b1 Fix use of idn2_free()
    7ffe93ca Fix perl warnings in tests
    f381831d Fix typos in comments
    02d40a46 * src/metalink.c (retrieve_from_metalink): Fix len in memset()
    e89267fb Add gnulib module group-member
    400b8eba Safeguards against TOCTTOU
    90a0a749 Update gnulib
    1d71645c * src/warc.c (warc_write_cdx_record): Escape URLs
    e2498441 Include libunistring headers only when used
    84a93f41 Fix links to www.robotstxt.org
    f31b9342 * tests/WgetTests.pm: Add -d to Wget test options
    90b48736 Include <arpa/inet.h> for Windows
    57d74811 Fix updating HSTS entries
    4d729e32 Fix CRLF injection in Wget host part
    63c2aea2 * src/warc.c: Use warc_write_header_uri for all WARC-Target-URI fields
    ac4fed32 Fix 504 status handling
    cf5df559 * src/url.c (url_file_name): Do not charset convert local directory
    2215ee8d * configure.ac: Remove manually resetting of LIBICONV variable
    32e26dc1 * bootstrap.conf: Call gperf to create lib/unicase/special-casing-table.h
    21ac4ae3 * bootstrap.conf: Fix latest gnulib to work with gperf < 3.1
    838c185c Pull GNULib to latest.
    ac9be9b7 * src/main.c: Remove double 'verbose' option
    Br,
    Ted

  10. #10
    Join Date
    Jul 2016
    Location
    United States
    Posts
    9

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit


  11. #11
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    It was denied at the wget mailing list but someone there pointed out that GnuTLS may cause it so I added an issue there:
    https://gitlab.com/gnutls/gnutls/issues/315

    Br,
    Ted

  12. #12
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Answer by Nikos Mavrogiannopoulos @ GnuTLS:
    normal wget usage shouldn't trigger initialization of smart cards (PKCS#11 subsystem), but in fedora the certificate store is accessed through PKCS#11 (p11-kit trust store). That makes the whole PKCS#11 (i.e. smart card) subsystem to be initialized, and you see the error. A way to address that would be to make gnutls initialize only the p11-kit trust store in that case instead of the whole smart card subsystem.

    I'm keeping that open here, and also moved it to Fedora
    https://bugzilla.redhat.com/show_bug.cgi?id=1507402

  13. #13
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Re: F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

    Quote Originally Posted by RobbieTheK
    We're seeing it as well. Quite annoying as it really spams the log and with a misleading message at that! Good find in at least where it's happening!
    There's now a GnuTLS scratch build for fc26.x86_64 available that I tested and it has stopped the log entries for me. I tested it like this:

    Download as a normal user and watch /var/log/messages to check that the log messages are still coming:
    Code:
    mkdir ~/tmp
    cd ~/tmp
    wget -qO- https://kojipkgs.fedoraproject.org//work/tasks/4552/22844552/gnutls-3.5.16-1.fc26.x86_64.rpm | rpm2cpio - | cpio -idmv
    Now test with the newly built shared library:
    Code:
    LD_LIBRARY_PATH=~/tmp/usr/lib64 wget -qO/dev/null https://google.com
    Edit: There are scratch builds available for the other architectures as well:
    https://koji.fedoraproject.org/koji/...askID=22844551

    Br,
    Ted
    Last edited by Ted Lyngmo; 1st November 2017 at 11:48 PM. Reason: added info

Similar Threads

  1. cyberjack pcsc
    By Sargot in forum Hardware & Laptops
    Replies: 0
    Last Post: 27th May 2011, 07:04 PM
  2. pcsc-lite
    By jpoland in forum Using Fedora
    Replies: 1
    Last Post: 14th June 2010, 02:58 AM
  3. problem with pcscd
    By barq in forum Using Fedora
    Replies: 1
    Last Post: 6th February 2008, 04:29 PM
  4. Download by wget and socks5 proxy server, how to
    By jiawj in forum Using Fedora
    Replies: 0
    Last Post: 25th October 2004, 09:49 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •