pcscd (auto)starting and permission troubles

Reported by Bart on 2012-10-04
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pcsc-lite (Ubuntu)

Bug Description

Kernel : Linux 3.2.0-31-generic-pae (i686)
Distribution : Ubuntu 12.04.1 LTS
Desktop : XFCE 4
pcscd : 1.7.4-2ubuntu2

Information on how to start pcscd the right way is very limited. What I found out after digging in for some days ... : --help and man pcscd are not really helpful. After installing the packet, pcscd doesn't launch itself.

After a while I found out there is a script /etc/init.d/pcscd (not mentioned in man) that is supposed to start the daemon at startup, but it has a line 'exit 0' in it preventing it from running ..., and a comment that is not very helpful for an average Linux user. So I think ok, it doesn't need to run at startup. Let me try to start the daemon myself ...
essAnd then troubles begin. It's easy mess to it up: As I found out (and it took me a while, believe me...) running pcscd as simple user (not as root) hangs further well behaviour of the daemon. Only if you use it with the -x option, it will kill itself after 60s. Otherwise it just states it is already running but can't access a card reader.

So please, state clearly in man that you have to run pcscd as root to start it as a daemon ! Or, alternatively, make the timeout of 60 s the default so that you can get out of a blocking situation !

To check the good working of a card reader, pcsc_scan can be used. But also here, if you start it as a regular user and pcscd isn't launched yet, it launches the daemon for you, but hey, you are not root, so bingo, blocked again. Luckily, it seams to be launched with the -x option, so (only) after 60s you can try again, as root this time ... To make the whole a little more confusing, once the daemon is running, you can launch pcsc_scan as regular user without problem. But that's good, I think, after all, since it means (as far as I understand) that applications can get to the card reader without any augmented permissions.

So stays the question: how do I start the daemon the right way ? I haven't found out yet ...
I could use /etc/init.d/pcscd and comment out the 'exit 0'. But I fear the daemon will be very diligent to do its work, probing my machine for the heck of it (as I noted running sudo pcscd -x -d and watching syslog).

Ideally, the daemon would be started on startup, with the right permissions, but without it probing constantly for some reader. Then an application that wants to get access to a reader, could 'tickle' the daemon so it starts probing for some time, the application does its thing, and the daemon stops probing when not needed anymore.

If someone knows this is possible, or if there is another preferred scenario, I would be glad to hear about it ! Read also that a new version of pcscd will use another mean to start automatically, but it's not supported (yet?) on Ubuntu ?
Meanwhile, I hope this info can already help someone taming this one ...


The technical stuff:

After boot (daemon not running) executing 'sudo pcsc_scan' -- it's working !
Information for reader is displayed. Even if after that (within 60s) I just run
'pcsc_scan', the information is displayed again.
syslog messages (had some logging enabled in my driver):
  Oct 4 16:31:22 BP-LIN pcscd: debuglog.c:269:DebugLogSetLevel() debug level=debug
  Oct 4 16:31:22 BP-LIN kernel: [ 3379.177470] OZSCRLX ozscr_open: called
  Oct 4 16:31:22 BP-LIN kernel: [ 3379.177489] OZSCRLX ozscr_ioctl: OZSCR_STATUS
  Oct 4 16:32:28 BP-LIN kernel: [ 3445.597205] OZSCRLX ozscr_ioctl: OZSCR_STATUS
  Oct 4 16:32:28 BP-LIN kernel: [ 3445.997318] OZSCRLX ozscr_ioctl: OZSCR_STATUS
  Oct 4 16:32:29 BP-LIN kernel: [ 3446.398025] OZSCRLX ozscr_close: called

Ok, now relaunching 'pcsc_scan' as regular user. The daemon just keeps waiting
for a reader, no information for the reader displayed.
syslog states:
  Oct 4 16:34:26 BP-LIN pcscd: dyn_unix.c:81:DYN_GetAddress() IFDHCreateChannelByName: /usr/local/o2micro/lib_OZSCR.so: undefined symbol: IFDHCreateChannelByName
  Oct 4 16:34:26 BP-LIN pcscd: readerfactory.c:965:RFInitializeReader() Open Port 0xF10000 Failed (/dev/o2scr0)
  Oct 4 16:34:26 BP-LIN pcscd: readerfactory.c:275:RFAddReader() O2Micro SmartCardBus Reader init failed.

Escaping and trying to run 'pcsc_scan' again. No luck ...
syslog states:
  Oct 4 16:36:38 BP-LIN pcscd: pcscdaemon.c:342:main() file /var/run/pcscd/pcscd.comm already exists.
  Oct 4 16:36:38 BP-LIN pcscd: pcscdaemon.c:344:main() Another pcscd (pid: 5208) seems to be running.

Bart (bart2pub) wrote :

Oeps, 2 little additions:

at $6, about probing and watching syslog: I had also my cards driver (OZSCRLX) compiled with a debug flag on...

technical stuf, $1 the 'within 60s' is only whith sudo pcsc_scan. If the deamon is started with 'sudo pcscd' then a regular user can run pcsc_scan without any problem, just as long as the deamon isn't killed.

It looks like you are using a smart card reader NOT using a USB port. So the access rights on /dev/o2scr0 are not correct and pcscd fails to open the device.
You compibled the OZSCR driver by yourself (it is installed in /usr/local/). Maybe you should report the problem to the driver author so the driver can create the device file /dev/o2scr0 with the correct access rights.

For more information about your problem you can read http://ludovicrousseau.blogspot.fr/2010/09/pcscd-auto-start.html and http://ludovicrousseau.blogspot.fr/2010/12/configuring-your-system-for-pcscd-auto.html

Removing the "exit 0" in /etc/init.d/pcscd should solve the problem for you. pcscd will be started at boot as root.

A future version of pcsc-lite in Ubuntu will use systemd and solve all your problems http://ludovicrousseau.blogspot.fr/2011/11/pcscd-auto-start-using-systemd.html

Bart (bart2pub) wrote :

Thanks Ludovic for the prompt reply. I had already visited your blog, but it wasn't clear to me which info applied to my situation. It was a bit too wealthy to find my way at first :-). But anyway, I got it working.

The reader I am using with my laptop is a build-in O2Micro SmartCardBus Reader. It's a 3 in 1 thinkie (OZ711SP1), connected to a Intel Corporation 82801 Mobile PCI Bridge:
>> O2 Micro, Inc. OZ711SP1 Memory CardBus Controller (driver: yenta_cardbus) -> pcmcia socket
>> O2 Micro, Inc. OZ711SP1 Memory CardBus Controller (driver: yenta_cardbus) -> pcmcia socket (internal) -> O2Micro SmartCardBus Reader
>> O2 Micro, Inc. Integrated MMC/SD Controller (driver: sdhci-pci) and Integrated MS/xD Controller (driver: ---, haven't tested it yet if it reads MS/xD cards)

the yenta_cardbus and sdhci-pci drivers worked out of the box(installing Ubuntu), to enable the SmartCardBus reader, I found a driver at http://gna.org/projects/o2scr : o2scr-1.0.8.tar.bz2, this one not really working out of the box ...

So at last ... getting to the final stage with the help of your comment "... access rights on /dev/o2scr0 are not correct and pcscd fails to open the device ...". Took me some other day of peaking and poking to get my solution by creating a file /etc/udev/rules.d/99-xxxxxxxx.rules and add a udev rule in it:
  ACTION!="add", GOTO="pcscd_rules_end"
  KERNEL=="o2scr0", SUBSYSTEM=="ozscrlx", GROUP="pcscd"
Had also to remove (comment out) the "exit 0" in /etc/init.d/pcscd as you told me and now everything is working smoothly.

I will notify the authors of the driver of the problem. It's source seemed me to be up-to-date as it is dated 06-Jun-2012. As it seems me, they have some options to change their code:
- adding some chgrp function when the device is created to set the group to pcscd (#include <sys/stat.h> ...).
- adding a rule on the fly to some (generic) udev rules file.
- having a prepared udev rules file that is copied to /etc/udev/rules.d when installing.

Is it possible to make the installation comment out the "exit 0" line in /etc/init.d/pcscd ?

It would be nice if there was some generic rule installed with pcscd (or Ubuntu) that could check if there is a smartcard reader installed, and then add the right permissions ... The hardware I use is rather common on laptops, and I think it's not quite easy for the authors of a driver to get along with all the changes. Especially when Linux is not supported by the manufacturer.

Will the future version of pcsc-lite require another adaptation of the driver ?

Thanks for coding,
et merci de me mettre sur la bonne route,
Bart Lambrechts.

The driver has to provide the udev rule file.

But, as I already wrote, this is no more necessary with recent pcsc-lite using systemd.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pcsc-lite (Ubuntu):
status: New → Confirmed
queo (kurt-quehenberger) wrote :

Dear Ludovic,

I have a problem with the permission-settings of pcscd, like reported here:

---executed as non-root:
gpg --card-status
gpg: selecting openpgp failed: unknown command
gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler

---executed as root:
sudo gpg --card-status
gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'

My system data is:
Thinkpad T410
Ubuntu 12.04.1 LTS 64bit
pcscd 1.7.4-2ubuntu2

Could you please tell me what to do to get the permissions settings correct to get the card status as non-root user, too?
Thanks in advance for your help!!
Best regards,

The easiest solution is to make pcscd suid root.

sudo chmod u+s /usr/sbin/pcscd

queo (kurt-quehenberger) wrote :

Thanks for your fast response!
But this doesn't solve the problem either:
gpg --card-status
gpg: selecting openpgp failed: unknown command
gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler

The permissions of pcscd is as follows:
-rwsr-xr-x 1 root pcscd 110024 Apr 4 2012 /usr/sbin/pcscd

Is there any other thing I could try to solve this issue?

George Gill (ggilliii10) on 2013-02-23
description: updated

What happens if you do (after setting pcscd suid root permissions)
$ /usr/sbin/pcscd -dfa

Another solution is to edit the file /etc/init.d/pcscd and remove (or comment) the line 43 "exit 0"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers