Page MenuHome GnuPG

Allow scdaemon to run as a system service
Open, NormalPublic

Description

scdaemon is run under the account of the current user. This is sometimes problematic if another user needs access to a smartcard. For example on system startup to unlock an encrypted partition and then later to use the smartcard for login. With an scdaemon running as system service things would be easier.

The tentative plan is to optionally allow for this by launching scdaemon on Unix via userv(1) as needed. We need to check whether our session locking is sufficient to work with different users and whether the pinentry will behave correctly. There should also be no leaking of data between sessions - it depends a bit on how this scdaemon service is used: Single user box with service accounts or on a real multi user box.

Event Timeline

werner triaged this task as Normal priority.Aug 29 2023, 1:33 PM
werner created this task.
werner created this object with edit policy "Contributor (Project)".

So we need a way to launch scdaemon via userv and make sure that the scdaemon user gives proper permissions to its socket file. gpg-agent also nees to check for a proper version of scdaemon and gpgme needs to be aware of this as well (if it want to directly connect to scdaemon).