Fedora Linux Support Community & Resources Center
  #1  
Old 21st September 2017, 09:57 AM
Ted Lyngmo Offline
Registered User
 
Join Date: Nov 2015
Location: Gothenburg, Sweden
Posts: 17
windows_7chrome
Question F26 - pcscd - apache - NOT authorized for action: access_pcsc

I upgraded from F25 to F26 Yesterday and then /var/log/messages started getting a pair of these lines 1-2 times a minute:

Code:
2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 03445385 auth.c:137:IsClientAuthorized() Process 48952 (user: 48) is NOT authorized for action: access_pcsc
2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 00000279 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
User 48 is apache and pcscd is the PC/SC Smart Card Daemon. Why apache suddenly is doing something related to that I don't know. Perhaps it always has, but something else changed in the upgrade.

I noticed that httpd.x86_64 was downgraded from 2.4.27-3.fc25 to 2.4.27-2.fc26 when I made the upgrade.

Any clues what may have caused this or what to do to fix it?

Br,
Ted

Last edited by Ted Lyngmo; 21st September 2017 at 07:50 PM. Reason: typo
Reply With Quote
  #2  
Old 27th September 2017, 09:24 PM
Ted Lyngmo Offline
Registered User
 
Join Date: Nov 2015
Location: Gothenburg, Sweden
Posts: 17
windows_7chrome
Re: F26 - pcscd - apache - NOT authorized for action: access_pcsc

I sent the above question author of pcsc along with this extra bit:

Quote:
Perhaps I can help searching for the cause somehow but I don't know where to start. What triggers pcscd to call IsClientAuthorized? Is it a library call or someone trying to connect to the /var/run/pcscd/pcscd.comm socket or something else?

Edit: Just made a program that connected to the file system socket and got the same result (but with my userid), so it seems apache is really trying to connect to that socket too. Odd. I take it you don't know of any situation when that would make sense?
...and I got this reply:

Quote:
pcscd is the daemon. The client is libpcsclite.so.1 library.

My first guess is that apache is configured to use a smart card to store a TLS private key. Maybe through a PKCS#11 library like OpenSC.

You will have to find why apache is, indirectly, using libpcsclite.so.1.
I haven't changed my apache configuration lately, nor have I ever tried configuring apache to use a smart card to store a TLS private key so I've no clue why apache suddenly started doing this. I don't see anything in the apache logs at the same time when the pcscd entries come in so it's hard to find out what apache is trying to do.

Any ideas?
Reply With Quote
  #3  
Old 10th October 2017, 04:52 PM
Ted Lyngmo Offline
Registered User
 
Join Date: Nov 2015
Location: Gothenburg, Sweden
Posts: 17
windows_7chrome
Re: F26 - pcscd - apache - NOT authorized for action: access_pcsc

It turns out to be a wget call (made by apache) that causes the pcscd log entries.

My site collects information from many places and only one of them enforces https instead of http and that seems to trigger the pcscd log entries. If I try one of the sites that accepts both http and https, only the https one will generate the log entries.

Code:
# tail -f /var/log/messages | grep pcscd &
[1] 20260
# inotifywait -m /usr/lib64/libpcsclite.so.1.0.0 &
[2] 20261
Setting up watches.
Watches established.
# sudo -u apache wget -qO/dev/null http://masalakitchen.se/lindholmen/lunchmeny/ ; echo $?
0
# sudo -u apache wget -qO/dev/null https://masalakitchen.se/lindholmen/lunchmeny/ ; echo $?
/usr/lib64/libpcsclite.so.1.0.0 OPEN
/usr/lib64/libpcsclite.so.1.0.0 ACCESS
2017-10-10T16:49:40+02:00 ninja pcscd[2758]: 83431667 auth.c:137:IsClientAuthorized() Process 20791 (user: 48) is NOT authorized for action: access_pcsc
2017-10-10T16:49:40+02:00 ninja pcscd[2758]: 00000231 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
/usr/lib64/libpcsclite.so.1.0.0 CLOSE_NOWRITE,CLOSE
0
#
All users but root seems to trigger this but the returned data is ok for all of them. So, it's got nothing to do with apache but instead it's wget that's doing something funny whenever https is involved.

curl does not trigger these log entries. What is wget trying to do and why? Any ideas?
Reply With Quote
  #4  
Old 12th October 2017, 08:39 PM
Ted Lyngmo Offline
Registered User
 
Join Date: Nov 2015
Location: Gothenburg, Sweden
Posts: 17
windows_7chrome
Re: F26 - pcscd - apache - NOT authorized for action: access_pcsc

Question rephrased in Servers & Networking
Reply With Quote
Reply

Tags
accesspcsc , access_pcsc , action , apache , authorized , f26 , pcscd

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Not authorized to nothing after installing wine sonam Using Fedora 1 30th July 2014 06:24 PM
Authorized error problem rootvn Using Fedora 0 16th March 2011 12:57 PM
F11 x86_64 pcscd (card reader daemon) prudy Hardware & Laptops 0 20th September 2009 06:44 PM
problem with pcscd barq Using Fedora 1 6th February 2008 04:29 PM
pcscd with acr38u driver burns CPU cycles fcorneli Hardware & Laptops 1 20th June 2007 03:10 PM


Current GMT-time: 13:52 (Sunday, 22-10-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat