Configuring your system for pcscd auto-start

Since pcsc-lite 1.6.5 it is possible to start pcscd on demand and run it with less privileges than root.

System configuration


pcscd group

pcscd is run as a user in the pcscd group. So you need to create this group.

$ sudo addgroup --system pcscd

/var/run/pcscd directory

Since pcscd is no more running as root it cannot create the /var/run/pcscd directory itself. The directory must be created as root and the correct permissions must be set:

  • group = pcscd group
  • access rights = rwx

$ sudo mkdir /var/run/pcscd
$ sudo chgrp pcscd /var/run/pcscd
$ sudo chmod g+w /var/run/pcscd

udev rule


pcscd is no more running as root so need permissions changed on the reader device. For USB readers this is done via a udev rule file.

A previous blog entry described such a udev rule file.
libccid provides a udev rule file. I guess other drivers does not (yet) provide one.

Example:

# If not adding the device, go away
ACTION!="add", GOTO="pcscd_ccid_rules_end"
SUBSYSTEM!="usb", GOTO="pcscd_ccid_rules_end"
ENV{DEVTYPE}!="usb_device", GOTO="pcscd_ccid_rules_end"

ATTRS{idVendor}=="0x08E6", ATTRS{idProduct}=="0x0430", GROUP="pcscd"

# All done
LABEL="pcscd_ccid_rules_end"


This example if for the Gemplus GemPC430 reader. It is an old reader and is not CCID. Just replace the idVendor and idProduct by the value of your own USB reader.

Debian


All these steps are already in place for the pcscd and libccid packages in Debian (in experimental for now). The packages for the other drivers should follow.

Conclusion


The auto-start feature needs some configuration before it can be used.
If you do not want to follow all the steps described in this article you can continue to run pcscd as root as before.


Flattr this
Previous
Next Post »