search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.46k stars 13.66k forks source link

pcscd: fails to start #121088

Closed evalexpr closed 3 years ago

evalexpr commented 3 years ago

Describe the bug

pcscd seems to be broken.

When enabling pcscd via services.pcscd.enable it doesn't seem to find the correct config file (namely /etc/reader.conf) and instead seemingly tries a few files in the /etc dir one by one until it eventually fails.

To Reproduce Steps to reproduce the behavior:

  1. Enable pcscd via services.pcscd.enable
  2. Rebuild
  3. Note that the service does not start and instead the journal is filled with errors

Expected behavior The pcscd service starts and is usable with a Yubikey

Screenshots

Output of running the command in the service file manually:

image

More logs, seeing it try different files in /etc and then failing to remove the pid file it didn't create:

image

Additional context

cc @colemickens who also encountered this issue

Notify maintainers

@peterhoeg via git blame

Metadata

- system: `"x86_64-linux"`
 - host os: `Linux 5.11.14, NixOS, 21.05.20210428.267761c (Okapi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4pre20210326_dd77f71`
 - channels(root): `"nixos-21.03pre246062.420f89ceb26"`
 - channels(evalexpr): `"home-manager, nixos-hardware"`
 - nixpkgs: `/nix/store/18hpwqzfcjdwfn1p69x7rl4sf7yjs7ak-zs7vn9p5zygl1mhrgx5m83v3y65glhsf-source`
colemickens commented 3 years ago

This was merged recently: https://github.com/NixOS/nixpkgs/pull/97440

cc: @peterhoeg

if this is the cause, we should consider a revert if we can't fix it quickly, this is potentially extremely bad.

nixos-discourse commented 3 years ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/home-manager-users-can-help-test-gnupg-2-3-1-beta/12692/8

peterhoeg commented 3 years ago

It's an easy fix (workaround at least). PR coming up in a few minutes.

colemickens commented 3 years ago

Does this fix it for you @evalexpr ?

I'm getting this in my pcscd logs, not sure if this is normal. But things aren't working with gpg still (with the using-pcscd path, anyway)

Apr 28 23:23:07 xeep pcscd[167158]: 00839929 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 28 23:23:07 xeep pcscd[167158]: 00000009 auth.c:137:IsClientAuthorized() Process 167155 (user: 1000) is NOT authorized for action: access_pcsc
Apr 28 23:23:07 xeep pcscd[167158]: 00000071 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Apr 28 23:23:08 xeep pcscd[167158]: 01072090 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 28 23:23:08 xeep pcscd[167158]: 00000009 auth.c:137:IsClientAuthorized() Process 167155 (user: 1000) is NOT authorized for action: access_pcsc
Apr 28 23:23:08 xeep pcscd[167158]: 00000085 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Apr 28 23:23:11 xeep pcscd[167158]: 03240076 ccid_usb.c:858:WriteUSB() write failed (3/59): -4 LIBUSB_ERROR_NO_DEVICE
Apr 28 23:23:13 xeep pcscd[167158]: 02375388 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 28 23:23:13 xeep pcscd[167158]: 00000007 auth.c:137:IsClientAuthorized() Process 167155 (user: 1000) is NOT authorized for action: access_pcsc
Apr 28 23:23:13 xeep pcscd[167158]: 00000082 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

EDIT: maybe this has to do with how I'm overriding gnupg (maybe the normal system gnupg gets some polkit rule that mine doesn't?)

evalexpr commented 3 years ago

@colemickens I have the same issue:

Apr 29 10:10:41 talos pcscd[95869]: 00000000 ccid_usb.c:1286:ControlUSB() control failed (4/3): -7 LIBUSB_ERROR_TIMEOUT
Apr 29 10:10:41 talos pcscd[95869]: 00117987 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 29 10:10:41 talos pcscd[95869]: 00000030 auth.c:137:IsClientAuthorized() Process 7709 (user: 1000) is NOT authorized for action: access_pcsc
Apr 29 10:10:41 talos pcscd[95869]: 00000130 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Apr 29 10:10:42 talos pcscd[95869]: 01007139 auth.c:119:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.debian.pcsc-lite.access_pcsc is not registered
Apr 29 10:10:42 talos pcscd[95869]: 00000014 auth.c:137:IsClientAuthorized() Process 7709 (user: 1000) is NOT authorized for action: access_pcsc
Apr 29 10:10:42 talos pcscd[95869]: 00000197 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

cc @peterhoeg

thblt commented 3 years ago

@peterhoeg I believe you've fixed the wrong file. Since the computer I'm on is affected, I cannot send a PR right now, so all I can offer immediately is a patch that reverts your changes in #121105 and, I believe, solves the actual root problem, which is an error in pscslite's configureFlags. See patch below.

From 45d53111882130edd2c097c5fa0121a5181de0bb Mon Sep 17 00:00:00 2001
From: Thibault Polge <thibault@thb.lt>
Date: Thu, 29 Apr 2021 14:36:07 +0200
Subject: [PATCH] Don't configure pcsclite with a confdir (fix #121088)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 6d23cfd56bbecfd27f230705b709575ba9d66c26, which
solved #121088 by hardcoding the configuration file path into the
binary call. Instead, it removes the --enable-confdir build option
which was the root cause of the issue.  To clarify, this is how
./configure --help describes the parameter:

  --enable-confdir=DIR    directory containing reader configurations (default

But it was set as:

  configureFlags = [
     "--enable-confdir=/etc" … ]
---
 nixos/modules/services/hardware/pcscd.nix | 10 ----------
 pkgs/tools/security/pcsclite/default.nix  |  1 -
 2 files changed, 11 deletions(-)

diff --git a/nixos/modules/services/hardware/pcscd.nix b/nixos/modules/services/hardware/pcscd.nix
index 59c12ee12ca..54b6693f85a 100644
--- a/nixos/modules/services/hardware/pcscd.nix
+++ b/nixos/modules/services/hardware/pcscd.nix
@@ -57,16 +57,6 @@ in
     systemd.services.pcscd = {
       environment.PCSCLITE_HP_DROPDIR = pluginEnv;
       restartTriggers = [ "/etc/reader.conf" ];
-
-      # If the cfgFile is empty and not specified (in which case the default
-      # /etc/reader.conf is assumed), pcscd will happily start going through the
-      # entire confdir (/etc in our case) looking for a config file and try to
-      # parse everything it finds. Doesn't take a lot of imagination to see how
-      # well that works. It really shouldn't do that to begin with, but to work
-      # around it, we force the path to the cfgFile.
-      #
-      # https://github.com/NixOS/nixpkgs/issues/121088
-      serviceConfig.ExecStart = [ "" "${getBin pkgs.pcsclite}/bin/pcscd -f -x -c ${cfgFile}" ];
     };
   };
 }
diff --git a/pkgs/tools/security/pcsclite/default.nix b/pkgs/tools/security/pcsclite/default.nix
index 71bd13c4a72..58df2442afa 100644
--- a/pkgs/tools/security/pcsclite/default.nix
+++ b/pkgs/tools/security/pcsclite/default.nix
@@ -30,7 +30,6 @@ stdenv.mkDerivation rec {
   '';

   configureFlags = [
-    "--enable-confdir=/etc"
     # The OS should care on preparing the drivers into this location
     "--enable-usbdropdir=/var/lib/pcsc/drivers"
   ]
-- 
2.31.1
thblt commented 3 years ago

@evalexpr @colemickens These logs look like #121121

evalexpr commented 3 years ago

@thblt applying both #121246 and #121247 fixes the issue for me too

thblt commented 3 years ago

@evalexpr Thanks for the feedback! Could you please comment on #121246 so we can get it merged asap?