-
Notifications
You must be signed in to change notification settings - Fork 26
Secure Setup
OpenCT was designed to be secure and allow system administrators to restrict access to smart card readers.
You have the option to
- install openct so it can be used by everyone.
- limit access to openct to some group.
- limit access to openct to some user.
The access control is done via setting permissions on /var/run/openct directory.
Not that in all setups the first user to access a reader will lock that reader, and no other user will be able
to access the reader till it is unlocked.
FIXME: how does locking work? does locking work for processes/connections and the build in module limit access
to the user (all processes) even without a lock command? Is root able to bypass this security?
Access control to smart card readers supported by openct is managed using the ownership, group and permissions
on the directory /var/run/openct/. Here are example commands how to setup smart card access open for everyone.
This is also the default.
Note however that recently some distributions have started using a so called “tmpfs” on /var/run/. The effect
is that all files and directories are gone after a reboot, and thus need to be re-created during each system
boot and permissions need to be setup properly. Therefore it is best to execute the following commands once,
and also edit the openct init script /etc/init.d/openct so it executes the same commands each time the directory
is re-created.
chown root:root /var/run/openct/
chmod 0755 /var/run/openct
Note: this setup is used in the QuickStart documentation.
This example will restrict access to the scard group. This is the default setup on debian systems.
You need to add each user that is allowed to use smart cards to the scard system group. Remember
that adding someone to a group needs that user to logout and login again to get the effect.
chown root:scard /var/run/openct
chmod 0750 /var/run/openct
If you use openct with pc/sc-lite, then only pcscd needs to be able to access openct, and all users/application
can use it via pc/sc-lite. In this case the restriction to one user is fine. pcscd usualy runs as root.
Applications and tools might however print warnings if they cannot access the openct directory.
chown someuser /var/run/openct
chmod 0700 /var/run/openct