[BRLTTY] Issue linking brlapi and orca.
Dave Mielke
dave at mielke.cc
Sat Sep 16 21:04:01 EDT 2017
[quoted lines by Didier Spaier on 2017/09/15 at 20:10 +0200]
>Does that implies that the braille device should be connected before
>booting? Or will this work if the device is connected after the daemon
>has started?
You should be able to connect the braille device at any time - even long after
the boot has completed. I believe that both orca and xbrlapi (assuimg that
you're using recent releases) automatically retry until the BrlAPI server is
available. Of course, you should verify this as I'm not 100% sure.
What I've said is true for USB devices, assuming that you're using brltty's
udev rules, because connecting a USB braille device automatically starts a
brltty process dedicated to that device. For Bluetooth and/or serial devices,
however, you'll need an additional brltty process that's started during the
boot and stays running. Enabling brltty.target (assuimg you're using systemd)
will do this.
>Also, I had first commented all lines under:
>Application Programming Interface Parameters in /etc/brltty.conf
>and I assume that this is not safe.
I'm not sure what you mean. I'm suspecting that you mean "uncommented" (not
"commented"). Doing that is only unsafe if any of those lines specifies
something you don't want. In general, those commented lines show what the
defaults are.
>Currently I include this code snippet in brltty's post-install script:
>---
>if [ ! -f etc/brlapi.key ]; then
> chmod 755 usr/sbin/brltty-genkey
> usr/sbin/brltty-genkey etc/brlapi.key
> usr/bin/chgrp braille etc/brlapi.key
> chmod 640 etc/brlapi.key
>fi
>---
In my opinion, you should be using absolute paths. This code is assuming that
the current directory is /, which may well be true, but it shouldn't be
assuming it. It's just my opinion, of course, but I really think you should add
the leading slashes.
I think you should be invoking brltty-genkey by just its name - not by its path
- and letting the shell find it wherever it is.
I think that you shouldn't be using chmod to make it executable. Firstly, it
should simply already have been installed that way. Secondly, an administrator
may want the freedom to make it unexecutable as a way to disable it.
>I assume that this fits the setting below in /etc/brtty.conf:
>api-parameters Auth=group:braille
No. That parameter means that the client eitehr needs to be in the braille
group or have braille as one of its supplementary groups. If that's true then
the file (brlapi.key) won't even be checked.
>If, say, I am more lenient and allow all local connections like this:
>api-parameters Host=:0
This parameter has nothing to do with authorization (Host= isn't Auth=). It's
specifying that the server will be waiting on the port for BrlAPI session #0.
Specifying Host= is usually only ever necessary when you're running more than
one brltty process.
>Then could I have root:root own /etc/brlapi.key and make it 644?
YOu could do that, but that'd remove all restrictions. Also, if that's what you
really want then it's simpler to specify Auth=none.
>Is the increased security allowing only members of the braille group
>worthwile?
If it's your own system, and only you and maybe other trustworthy people use
it, then sure. I wouldn't dare be to casual with anyone else's system, though.
>Bear in mind that I am searching a convenient default
>setting for Slint, that the admin could of course change after
>installation.
This comes down to personal opinion. Is it better to have no security and place
the responsibility on the administrator to remember to tighten it up, or is it
better to be reasonably secure while allowing an administrator to loosen it up.
It's your decision.
--
Dave Mielke | 2213 Fox Crescent | http://Mielke.cc/
Phone: 1-613-726-0014 | Ottawa, Ontario | http://Mielke.cc/bible/
EMail: Dave at Mielke.cc | Canada K2A 1H7 | The Bible is the very Word of God.
More information about the BRLTTY
mailing list