Since pcsc-lite 1.6.5 it is possible to start pcscd on demand and run it with less privileges than root.
/var/run/pcscd directory
Since pcscd is no more running as root it cannot create the
pcscd is no more running as root so need permissions changed on the reader device. For USB readers this is done via a udev rule file.
A previous blog entry described such a udev rule file.
libccid provides a udev rule file. I guess other drivers does not (yet) provide one.
Example:
This example if for the Gemplus GemPC430 reader. It is an old reader and is not CCID. Just replace the
All these steps are already in place for the pcscd and libccid packages in Debian (in experimental for now). The packages for the other drivers should follow.
The auto-start feature needs some configuration before it can be used.
If you do not want to follow all the steps described in this article you can continue to run pcscd as root as before.
System configuration
pcscd group
pcscd is run as a user in the pcscd group. So you need to create this group.$ sudo addgroup --system pcscd
/var/run/pcscd directory
Since pcscd is no more running as root it cannot create the /var/run/pcscd
directory itself. The directory must be created as root and the correct permissions must be set:- group = pcscd group
- access rights = rwx
$ sudo mkdir /var/run/pcscd
$ sudo chgrp pcscd /var/run/pcscd
$ sudo chmod g+w /var/run/pcscd
udev rule
pcscd is no more running as root so need permissions changed on the reader device. For USB readers this is done via a udev rule file.
A previous blog entry described such a udev rule file.
libccid provides a udev rule file. I guess other drivers does not (yet) provide one.
Example:
# If not adding the device, go away
ACTION!="add", GOTO="pcscd_ccid_rules_end"
SUBSYSTEM!="usb", GOTO="pcscd_ccid_rules_end"
ENV{DEVTYPE}!="usb_device", GOTO="pcscd_ccid_rules_end"
ATTRS{idVendor}=="0x08E6", ATTRS{idProduct}=="0x0430", GROUP="pcscd"
# All done
LABEL="pcscd_ccid_rules_end"
This example if for the Gemplus GemPC430 reader. It is an old reader and is not CCID. Just replace the
idVendor
and idProduct
by the value of your own USB reader.Debian
All these steps are already in place for the pcscd and libccid packages in Debian (in experimental for now). The packages for the other drivers should follow.
Conclusion
The auto-start feature needs some configuration before it can be used.
If you do not want to follow all the steps described in this article you can continue to run pcscd as root as before.
ConversionConversion EmoticonEmoticon