[BRLTTY] permissions on the brlapi.key file

Dave Mielke dave at mielke.cc
Sun Aug 28 00:06:18 EDT 2016 

[quoted lines by kendell clark on 2016/08/27 at 17:00 -0500]

>there is one minor thing I'd like to fix in brltty's package build script so 
>that braille more or less works out of the box, at least for USB displays. The 
>reason orca was having so much trouble with the braille sense wasn't the 
>display or orca, it was the permissions that were set on the /etc/brlapi.key 
>file. It was owned by root and readable only by root. I was able to fix this 
>by entering "sudo chmod 755 /etc/brlapi.key" in a terminal, after which 
>everything worked. Is it possible to specify something like "install -d -m 755 
>/etc/brlapi.key" in the package build script so that this works automatically? 

This boils down to what is and what isn't a good security policy. What you're 
effectively asking for is the generation of a secret key that, by default, is 
made public. Of course, once a key is made public then there's no point in ever 
trying to restrict it since, befopre restricting it, anyone could've made a 
copy of it.

Perhaps the best thing to do is for the default to be that brltty is installed 
with no brlapi security. Then, if desired, brlapi security could be activated 
as desired, at a later time, by a system's administrator.

>I'm not sure if brltty comes with it's own brlapi.key file or if brltty itself 
>generates it. If it generates it, can permissions on it be set in the config 
>file? I'm trying to find a way to fix it so that sonar users can simply plug 
>in a display and have it work without having to change the permissions 
>themselves. 

Couldn't initial Sonar setup include setting the permissions on 
/etc/brlapi.key? They may not need to be as wide open as 644, by the way. Orca 
usually runs as the gdm user, and the primary group for the gdm user is usually 
gdm. As I see it, therefore, the best thing to do might be to make 
/etc/brlapi.key be owned by the root user and the gdm group, and for its 
permissions to be 640.

-- 
Dave Mielke           | 2213 Fox Crescent | The Bible is the very Word of God.
Phone: 1-613-726-0014 | Ottawa, Ontario   | http://Mielke.cc/bible/
EMail: Dave at Mielke.cc | Canada  K2A 1H7   | http://FamilyRadio.org/

More information about the BRLTTY mailing list