Closed evalexpr closed 3 years ago
This was merged recently: https://github.com/NixOS/nixpkgs/pull/97440
cc: @peterhoeg
if this is the cause, we should consider a revert if we can't fix it quickly, this is potentially extremely bad.
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/home-manager-users-can-help-test-gnupg-2-3-1-beta/12692/8
It's an easy fix (workaround at least). PR coming up in a few minutes.
Does this fix it for you @evalexpr ?
I'm getting this in my pcscd logs, not sure if this is normal. But things aren't working with gpg still (with the using-pcscd path, anyway)
Apr 28 23:23:07 xeep pcscd[167158]: 00839929 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 28 23:23:07 xeep pcscd[167158]: 00000009 auth.c:137:IsClientAuthorized() Process 167155 (user: 1000) is NOT authorized for action: access_pcsc
Apr 28 23:23:07 xeep pcscd[167158]: 00000071 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Apr 28 23:23:08 xeep pcscd[167158]: 01072090 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 28 23:23:08 xeep pcscd[167158]: 00000009 auth.c:137:IsClientAuthorized() Process 167155 (user: 1000) is NOT authorized for action: access_pcsc
Apr 28 23:23:08 xeep pcscd[167158]: 00000085 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Apr 28 23:23:11 xeep pcscd[167158]: 03240076 ccid_usb.c:858:WriteUSB() write failed (3/59): -4 LIBUSB_ERROR_NO_DEVICE
Apr 28 23:23:13 xeep pcscd[167158]: 02375388 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 28 23:23:13 xeep pcscd[167158]: 00000007 auth.c:137:IsClientAuthorized() Process 167155 (user: 1000) is NOT authorized for action: access_pcsc
Apr 28 23:23:13 xeep pcscd[167158]: 00000082 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
EDIT: maybe this has to do with how I'm overriding gnupg (maybe the normal system gnupg gets some polkit rule that mine doesn't?)
@colemickens I have the same issue:
Apr 29 10:10:41 talos pcscd[95869]: 00000000 ccid_usb.c:1286:ControlUSB() control failed (4/3): -7 LIBUSB_ERROR_TIMEOUT
Apr 29 10:10:41 talos pcscd[95869]: 00117987 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 29 10:10:41 talos pcscd[95869]: 00000030 auth.c:137:IsClientAuthorized() Process 7709 (user: 1000) is NOT authorized for action: access_pcsc
Apr 29 10:10:41 talos pcscd[95869]: 00000130 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Apr 29 10:10:42 talos pcscd[95869]: 01007139 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 29 10:10:42 talos pcscd[95869]: 00000014 auth.c:137:IsClientAuthorized() Process 7709 (user: 1000) is NOT authorized for action: access_pcsc
Apr 29 10:10:42 talos pcscd[95869]: 00000197 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
cc @peterhoeg
@peterhoeg I believe you've fixed the wrong file. Since the computer I'm on is affected, I cannot send a PR right now, so all I can offer immediately is a patch that reverts your changes in #121105 and, I believe, solves the actual root problem, which is an error in pscslite's configureFlags
. See patch below.
From 45d53111882130edd2c097c5fa0121a5181de0bb Mon Sep 17 00:00:00 2001
From: Thibault Polge <thibault@thb.lt>
Date: Thu, 29 Apr 2021 14:36:07 +0200
Subject: [PATCH] Don't configure pcsclite with a confdir (fix #121088)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This reverts commit 6d23cfd56bbecfd27f230705b709575ba9d66c26, which
solved #121088 by hardcoding the configuration file path into the
binary call. Instead, it removes the --enable-confdir build option
which was the root cause of the issue. To clarify, this is how
./configure --help describes the parameter:
--enable-confdir=DIR directory containing reader configurations (default
But it was set as:
configureFlags = [
"--enable-confdir=/etc" … ]
---
nixos/modules/services/hardware/pcscd.nix | 10 ----------
pkgs/tools/security/pcsclite/default.nix | 1 -
2 files changed, 11 deletions(-)
diff --git a/nixos/modules/services/hardware/pcscd.nix b/nixos/modules/services/hardware/pcscd.nix
index 59c12ee12ca..54b6693f85a 100644
--- a/nixos/modules/services/hardware/pcscd.nix
+++ b/nixos/modules/services/hardware/pcscd.nix
@@ -57,16 +57,6 @@ in
systemd.services.pcscd = {
environment.PCSCLITE_HP_DROPDIR = pluginEnv;
restartTriggers = [ "/etc/reader.conf" ];
-
- # If the cfgFile is empty and not specified (in which case the default
- # /etc/reader.conf is assumed), pcscd will happily start going through the
- # entire confdir (/etc in our case) looking for a config file and try to
- # parse everything it finds. Doesn't take a lot of imagination to see how
- # well that works. It really shouldn't do that to begin with, but to work
- # around it, we force the path to the cfgFile.
- #
- # https://github.com/NixOS/nixpkgs/issues/121088
- serviceConfig.ExecStart = [ "" "${getBin pkgs.pcsclite}/bin/pcscd -f -x -c ${cfgFile}" ];
};
};
}
diff --git a/pkgs/tools/security/pcsclite/default.nix b/pkgs/tools/security/pcsclite/default.nix
index 71bd13c4a72..58df2442afa 100644
--- a/pkgs/tools/security/pcsclite/default.nix
+++ b/pkgs/tools/security/pcsclite/default.nix
@@ -30,7 +30,6 @@ stdenv.mkDerivation rec {
'';
configureFlags = [
- "--enable-confdir=/etc"
# The OS should care on preparing the drivers into this location
"--enable-usbdropdir=/var/lib/pcsc/drivers"
]
--
2.31.1
@evalexpr @colemickens These logs look like #121121
@thblt applying both #121246 and #121247 fixes the issue for me too
@evalexpr Thanks for the feedback! Could you please comment on #121246 so we can get it merged asap?
Describe the bug
pcscd
seems to be broken.When enabling
pcscd
viaservices.pcscd.enable
it doesn't seem to find the correct config file (namely/etc/reader.conf
) and instead seemingly tries a few files in the/etc
dir one by one until it eventually fails.To Reproduce Steps to reproduce the behavior:
pcscd
viaservices.pcscd.enable
Expected behavior The
pcscd
service starts and is usable with a YubikeyScreenshots
Output of running the command in the service file manually:
More logs, seeing it try different files in
/etc
and then failing to remove the pid file it didn't create:Additional context
cc @colemickens who also encountered this issue
Notify maintainers
@peterhoeg via git blame
Metadata