F26 server - wget - p11-kit/OpenSC - pcsc-lite/pcscd - polkit

[Ted Lyngmo]

Hi!

Whenever a user is using wget to fetch a webpage via https, I'll get in messages like this in /var/log/messages:

Code:

2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 03445385 auth.c:137:IsClientAuthorized() Process 48952 (user: 48) is NOT authorized for action: access_pcsc
2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 00000279 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

This started after upgrading to F26 (or possibly F25 which was installed for a few days). I have no idea why wget (via one of the libraries involved) would try to access the smart card reader without the user telling it to. Even though it fails getting access to a reader (which I've currently got none), the https pages are received just fine.

curl works without triggering these kinds of messages.

Is there anything I could do to stop wget https requests from trying to access a smart card reader (unless told to)? I haven't changed any configuration for wget or the libs so they should be standard F26.

I did however add two polkit rules to grant everyone smart card access to stop the log messages:

Code:

# cat /usr/share/polkit-1/rules.d/org.debian.pcsc-lite.rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'name of reader' &&
        subject.active ) {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.active ) {
            return polkit.Result.YES;
    }
});

That stopped the log messages but I can't keep it like this if I decide to connect a smart card reader. Any ideas what to do to solve this properly?

Br,
Ted

[RobbieTheK]

Did you create a Bugzilla entry for this? We're seeing it as well. Quite annoying as it really spams the log and with a misleading message at that! Good find in at least where it's happening!

[Ted Lyngmo]

Thanks, I appreciate it - it took some digging :-)

No, I haven't filed a bugreport. I wasn't sure it was a bug or just an anomaly in my system and I'm also not sure what to write in the report since I'm unsure which part of the chain that's to blame. :-/

It somehow feels good to not be alone with this though.

Br,
Ted

[RobbieTheK]

Try selecting polkit and then any of the maintainers can reassign accordingly.

[Ted Lyngmo]

Ok, it's worth a shot.

https://bugs.freedesktop.org/show_bug.cgi?id=103483

[lsatenstein]

Is wget installed in /bin/wget? /bin is also /usr/bin

which wget for me shows /bin, that is why I asked?

Author of wget announced a new version yesterday. Its available via tar or zip download
It will appear within Fedora in a day or three.

[Ted Lyngmo]

Code:

% which wget
/usr/bin/wget

% ls -il /usr/bin/wget /bin/wget
150210904 -rwxr-xr-x 1 root root 552584 Jun  2 12:17 /bin/wget
150210904 -rwxr-xr-x 1 root root 552584 Jun  2 12:17 /usr/bin/wget

I actually cloned the latest wget an hour ago but the diff (against 1.19.1-3.fc26 - commit 6620c5156f363036079d413bfa567e9d871bb30d) didn't show me anything that should affect this. I may have missed it, but I don't think so.

[lsatenstein]

the /bin is identically the same directory as /usr/bin
ln -s is the reason

ls -l /
...
lrwxrwxrwx. 1 root root 7 Aug 2 19:32 bin -> usr/bin
...

Apparently, the fixes were mostly about security leaks and holes.

[Ted Lyngmo]

the /bin is identically the same directory as /usr/bin
ln -s is the reason

ls -l /
...
lrwxrwxrwx. 1 root root 7 Aug 2 19:32 bin -> usr/bin
...

Hmm ... I'm not sure what you're getting at. wget asks for SC access whatever path I use to start it. Please clarify.

Apparently, the fixes were mostly about security leaks and holes.

The complete list:

Code:

% git log --oneline 6620c5156f363036079d413bfa567e9d871bb30d..
ba6b44f6 Fix heap overflow in HTTP protocol handling (CVE-2017-13090)
d892291f Fix stack overflow in HTTP protocol handling (CVE-2017-13089)
bec4c215 Update for release 1.19.2
27d78d94 Avoid unnecessary UTF-8 encoded fallback (trivial change)
60f03342 Add GNU extensions to .netrc parsing
6f3b9959 Bail out on unexpected 416 server errors
c451eec1 Add gzip Content-Encoding decompression
b543dfe7 Add --compression option
08ed2a55 Adjust Extension based on Content-Encoding
951d3e4c Document gperf as a requirement
3ad3b3e3 * src/url.c (url_scheme): Use ASCII version of strncasecmp
5fb6b6bd Fix misuse of strncasecmp
f42229b1 Fix python test suite for GnuTLS 3.5.12+
21154bdc Check for 304 response before applying --adjust-extension
ae293c94 Fix buffer overflow in Public Key Pinning
407c1f99 * doc/wget.texi: Mention --no-config
86b46a34 * testenv/Test-recursive-basic.py: Check crawled files
5d4ada1b Fix two Metalink tests if $HOME is changed
876def8e Add command line option to disable use of .netrc
f8c3df1f Fixed getting of credentials from .netrc
17960b57 Added tests for HTTP authentication using credentials from .netrc
40c0d30f Fix Test-https-badcerts.px
e2c70257 * util/createcerts.sh: Fix double equal (syntax-check)
269fb620 Fix Test-https-badcerts.px to work with GnuTLS
c08778ae New shell script to create the certs and keys required for TLS tests
297c1e2a Fix HTTPS testing for stricter OpenSSL
936efc35 * src/iri.c (idn_encode): Better IDNA 2003 compatibility
11d3de74 * .gitlab-ci.yml: Also test OpenSSL build
35d5b67c * .gitlab-ci.yml: Remove installation of texlive
da50a1ec Add certs/wotca.pem to avoid temp. file creation
1068ca07 * cfg.mk: Exclude ^tests/certs/.* from syntax-check
0666e0f3 * po/POTFILES.in: Remove spider.c (syntax-check)
0d9f8280 * tests/Test-https-selfsigned.px: Add newline at EOF (syntax-check)
17f0e16e Removed all uses of temp files. Added needed files to GIT
cc74f8b7 Made CRL related files in the repo, instead of trying to generate them
2894a371 Cleanup on exit in Test-https-*.px
4669ba5e Auto-generate interca.conf and rootca.conf
b5c2d083 Fix path and VPATH issues of new https/TLS tests
466afc62 Check for test server name resolution in tests
f68d0016 * tests/Makefile.am: Enable Test-https-badcerts again
ffe75d08 Fix WgetFeature.pm to allow multiple required features
9aa89485 * .gitlab-ci.yml: Add wgettestingserver to /etc/hosts
5337b94c * tests/SSLServer.pm: Check for IO::Socket::SSL
a26e6f35 * tests/Test-https-*: Change server port to <= 32767
b9fb74dd Move https test server ports from >32767 to <= 32767
3132049a * tests/Makefile.am: Add SSLTest.pm and SSLServer.pm to EXTRA_DIST
c0c42da6 * tests//Makefile.am: Disable Test-https-badcerts.px
888cc82c Add Gitlab CI (Debian)
fce1b689 * .travis.yml: Use trusty for libidn2-dev
580067d1 * tests/certs/test-ca-key.pem: Add newline at EOF
5c4cc011 Add static HOSTSALIAS file
2a962494 Added new tests for SSL
0b41c754 Mention TLSv1_1 and TLSv1_2 as secure-protocol values in help
c4a2b2e7 * src/http.c (gethttp): Support Wayback Machine's X-Archive-Orig-last-modified
f6376ac0 Added new tests for SSL
ac519c04 Added new tests for SSL
56c78c4b * src/utils.c: Remove non-portable __builtin_unreachable()
0ec46cb1 Skip iconv() usage if HAVE_ICONV is not defined
67cb37ce Mention 'bash' for executing ./bootstrap
0004d3ec * bootstrap.conf: Make 'sed' options more portable
92bfe2a2 Fix charset transcoding issue for non-reversible codepoints
fc2f4233 * src/iri.c: Fix WIN32 idn2_free, forgotten code
b2c38d33 * src/init.c: Set flstats correctly when using WGETRC env var
6ef493b1 Fix use of idn2_free()
7ffe93ca Fix perl warnings in tests
f381831d Fix typos in comments
02d40a46 * src/metalink.c (retrieve_from_metalink): Fix len in memset()
e89267fb Add gnulib module group-member
400b8eba Safeguards against TOCTTOU
90a0a749 Update gnulib
1d71645c * src/warc.c (warc_write_cdx_record): Escape URLs
e2498441 Include libunistring headers only when used
84a93f41 Fix links to www.robotstxt.org
f31b9342 * tests/WgetTests.pm: Add -d to Wget test options
90b48736 Include <arpa/inet.h> for Windows
57d74811 Fix updating HSTS entries
4d729e32 Fix CRLF injection in Wget host part
63c2aea2 * src/warc.c: Use warc_write_header_uri for all WARC-Target-URI fields
ac4fed32 Fix 504 status handling
cf5df559 * src/url.c (url_file_name): Do not charset convert local directory
2215ee8d * configure.ac: Remove manually resetting of LIBICONV variable
32e26dc1 * bootstrap.conf: Call gperf to create lib/unicase/special-casing-table.h
21ac4ae3 * bootstrap.conf: Fix latest gnulib to work with gperf < 3.1
838c185c Pull GNULib to latest.
ac9be9b7 * src/main.c: Remove double 'verbose' option

Br,
Ted

[RobbieTheK]

Try reporting here https://lists.gnu.org/mailman/listinfo/bug-wget

[Ted Lyngmo]

It was denied at the wget mailing list but someone there pointed out that GnuTLS may cause it so I added an issue there:
https://gitlab.com/gnutls/gnutls/issues/315

Br,
Ted

[Ted Lyngmo]

Answer by Nikos Mavrogiannopoulos @ GnuTLS:

normal wget usage shouldn't trigger initialization of smart cards (PKCS#11 subsystem), but in fedora the certificate store is accessed through PKCS#11 (p11-kit trust store). That makes the whole PKCS#11 (i.e. smart card) subsystem to be initialized, and you see the error. A way to address that would be to make gnutls initialize only the p11-kit trust store in that case instead of the whole smart card subsystem.

I'm keeping that open here, and also moved it to Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=1507402

[Ted Lyngmo]

We're seeing it as well. Quite annoying as it really spams the log and with a misleading message at that! Good find in at least where it's happening!

There's now a GnuTLS scratch build for fc26.x86_64 available that I tested and it has stopped the log entries for me. I tested it like this:

Download as a normal user and watch /var/log/messages to check that the log messages are still coming:

Code:

mkdir ~/tmp
cd ~/tmp
wget -qO- https://kojipkgs.fedoraproject.org//work/tasks/4552/22844552/gnutls-3.5.16-1.fc26.x86_64.rpm | rpm2cpio - | cpio -idmv

Now test with the newly built shared library:

Code:

LD_LIBRARY_PATH=~/tmp/usr/lib64 wget -qO/dev/null https://google.com

Edit: There are scratch builds available for the other architectures as well:
https://koji.fedoraproject.org/koji/...askID=22844551

Br,
Ted

[Ted Lyngmo]

gnutls-3.5.16-3.fc26.x86_64 is now officially released which resolves this issue