[BRLTTY] Issue linking brlapi and orca.

[Dave Mielke]

[quoted lines by Didier Spaier on 2017/09/15 at 20:10 +0200]

>Does that implies that the braille device should be connected before
>booting? Or will this work if the device is connected after the daemon
>has started?

You should be able to connect the braille device at any time - even long after 
the boot has completed. I believe that both orca and xbrlapi (assuimg that 
you're using recent releases) automatically retry until the BrlAPI server is 
available. Of course, you should verify this as I'm not 100% sure.

What I've said is true for USB devices, assuming that you're using brltty's 
udev rules, because connecting a USB braille device automatically starts a 
brltty process dedicated to that device. For Bluetooth and/or serial devices, 
however, you'll need an additional brltty process that's started during the 
boot and stays running. Enabling brltty.target (assuimg you're using systemd) 
will do this.

>Also, I had first commented all lines under:
>Application Programming Interface Parameters in /etc/brltty.conf
>and I assume that this is not safe.

I'm not sure what you mean. I'm suspecting that you mean "uncommented" (not 
"commented"). Doing that is only unsafe if any of those lines specifies 
something you don't want. In general, those commented lines show what the 
defaults are.

>Currently I include this code snippet in brltty's post-install script:
>---
>if [ ! -f etc/brlapi.key ]; then
>	chmod 755 usr/sbin/brltty-genkey
>	usr/sbin/brltty-genkey etc/brlapi.key
>	usr/bin/chgrp braille etc/brlapi.key
>	chmod 640 etc/brlapi.key
>fi
>---

In my opinion, you should be using absolute paths. This code is assuming that 
the current directory is /, which may well be true, but it shouldn't be 
assuming it. It's just my opinion, of course, but I really think you should add 
the leading slashes.

I think you should be invoking brltty-genkey by just its name - not by its path 
- and letting the shell find it wherever it is. 

I think that you shouldn't be using chmod to make it executable. Firstly, it 
should simply already have been installed that way. Secondly, an administrator 
may want the freedom to make it unexecutable as a way to disable it.

>I assume that this fits the setting below in /etc/brtty.conf:
>api-parameters Auth=group:braille

No. That parameter means that the client eitehr needs to be in the braille 
group or have braille as one of its supplementary groups. If that's true then 
the file (brlapi.key) won't even be checked.

>If, say, I am more lenient and allow all local connections like this:
>api-parameters Host=:0

This parameter has nothing to do with authorization (Host= isn't Auth=). It's 
specifying that the server will be waiting on the port for BrlAPI session #0. 
Specifying Host= is usually only ever necessary when you're running more than 
one brltty process.

>Then could I have root:root own /etc/brlapi.key and make it 644?

YOu could do that, but that'd remove all restrictions. Also, if that's what you 
really want then it's simpler to specify Auth=none.

>Is the increased security allowing only members of the braille group
>worthwile? 

If it's your own system, and only you and maybe other trustworthy people use 
it, then sure. I wouldn't dare be to casual with anyone else's system, though.

>Bear in mind that I am searching a convenient default
>setting for Slint, that the admin could of course change after
>installation.

This comes down to personal opinion. Is it better to have no security and place 
the responsibility on the administrator to remember to tighten it up, or is it 
better to be reasonably secure while allowing an administrator to loosen it up. 
It's your decision.

-- 
Dave Mielke           | 2213 Fox Crescent | http://Mielke.cc/
Phone: 1-613-726-0014 | Ottawa, Ontario   | http://Mielke.cc/bible/
EMail: Dave at Mielke.cc | Canada  K2A 1H7   | The Bible is the very Word of God.