[BRLTTY] BRLTTY, systemd and unprivileged user
Aura Kelloniemi
kaura.dev at sange.fi
Sat Aug 22 18:21:37 EDT 2020
Hello,
Dave Mielke <Dave at mielke.cc> writes:
> [quoted lines by Aura Kelloniemi on 2020/08/22 at 08:57 +0300]
> >BRLTTY changes to user brltty:brltty, but for some reason the capability
> >assignments don't work and the process is non-functional.
> This should (must) be figured out. Please capture and post a debug log for when
> brltty starts up. Use -L/path/to/logfile, and -ldebug should be enough.
I needed to return to a setup where I run brltty as root, because I needed to
get other things done. Could you recommend me an easy solution which allows me
to install and run BRLTTY with reduced privileges, and then return to the full
privileges version (blindly) when it shows "No screen". I have a spare display
available that I can use, but I probably cannot have multiple BRLTTYversions
installed at the same time, because the systemd files need to be in place.
> i'm wondering if you may have a mixture of older and newer systemd units/files.
Should not be.
> Or, maybe, you have an incomplete setup. Which systemd-related files do you
> currently have insalled?
I had brltty.path, brltty at .path, brltty at .service, udev rules, and sysusers and
tmpfiles configuration files. I also had the brltty user and groups defined,
but the problem can be there, if systemd did not generate them properly.
> The output from systemd status and journal would probably be helpful.
elo 19 10:15:32 solaria systemd-wrapper[929]: BRLTTY 6.1 rev
BRLTTY-6.1-438-gee5f2a06 [http://brltty.app/]
elo 19 10:15:32 solaria systemd-wrapper[929]: brltty: continuing to execute as
the invoking user: brltty
elo 19 10:15:32 solaria systemd-wrapper[929]: brltty: capability not
permitted: cap_sys_module
elo 19 10:15:32 solaria systemd-wrapper[929]: brltty: capability not
permitted: cap_setgid
elo 19 10:15:32 solaria systemd-wrapper[929]: brltty: path not group readable:
/dev/uinput
elo 19 10:15:32 solaria systemd-wrapper[929]: brltty: path not group writable:
/dev/uinput
elo 19 10:15:32 solaria systemd-wrapper[929]: brltty: group not joined:
977(brlapi)
elo 19 10:15:32 solaria systemd-wrapper[929]: brltty: group not joined:
987(uucp)
elo 19 10:15:32 solaria systemd-wrapper[929]: brltty: cannot create directory:
/run/brltty: Permission denied
elo 19 10:15:32 solaria systemd[1]: brltty at -dev-bus-usb-003-004.service: Can't
open PID file /run/brltty/brltty--dev-bus-usb-003-004.pid (yet?) after start:
Operation not permitted
elo 19 10:15:32 solaria systemd-wrapper[934]: brltty: cannot create directory:
/run/brltty: Permission denied
> >I have not found a way to prevent BRLTTY from changing the user without
> >deleting the user or passing --with-privilege-parameters to configure. I would
> >like to have a way o disable the UIDchange, something like
> >--privilege-parameters=lx:user= on BRLTTY command line.
> That'd be a way to bypass a distribution's security policy.
Well, I mean I would like to do this as root. When I have root privileges, I
can already defeat all security policies, if I want. I want to run BRLTTY with
minimal privileges, but this kind of an option would be extremely handy for
situations when something goes wrong.
> >When I manage to run BRLTTY as root, it changes to the directory
> >/var/run/brltty and tries to create device nodes there. However, /var/run is
> >mounted with nodev flag by systemd, because of security reasons. As a result,
> >BRLTTY does not have access to screen contents (or any other devices). I fixed
> >this temporarily by setting writable-directory to /root/brltty-runtime/ brltty.conf.
> Brltty shouldn't be creating those devices. Sure, it'll try, but what this
> situation really means is that something about the setup is wrong. In this
> case, I'm suspecting that it's runniog as an unprivieleged user but doesn't
> have the needed group memberships. Again, a debug log would be helpful.
This was quite easy to test. I almost lost display access completely during
the process, but luckily not. The log file is attached as brltty-as-root.log.
I run:
# brltty -W /var/run/brltty -ne -l debug
BRLTTY fails to open /dev/tty1 (Permission denied) even though it manages to
join the group tty (/dev/tty1 is owned by my user and has group tty).
> It could be that you didn't install the sysusers brltty.conf file. It probably
> means that the brltty user doesn't have its needed supplementary group list.
The only group missing is dialout, because I already removed the systemd files
shipped with brltty (to get it running as root). dialout should not be needed
for screen access though.
> For now, disable brltty's udev rules.
I will, and I probably never need them, since I always use one display, and I
want it to be managed by a single BRLTTY instance regardless of whether I'm
using bluetooth or USB.
> >systemd complains that brltty at .service depends on systemd-udev-settle.service
> >which is deprecated, and should no more be used.
> Does anything say what should be used instead?
This is an excerpt from /lib/systemd/system/systemd-udev-settle.service:
# This service can dynamically be pulled-in by legacy services which
# cannot reliably cope with dynamic device configurations, and wrongfully
# expect a populated /dev during bootup.
Maybe internet would spread more light on this.
--
Aura
-------------- next part --------------
brltty: program exit event added: log
BRLTTY 6.1 rev BRLTTY-6.1-439-ge5a42ba2M [http://brltty.app/]
brltty: lock descriptor allocated: queue-discarded-elements
brltty: Log Level: debug
brltty: Privilege Parameter: path=
brltty: Privilege Parameter: scfmode=
brltty: Privilege Parameter: shell=
brltty: Privilege Parameter: user=
brltty: capabilities: at start: =ep
brltty: environment variable set: PATH: /bin:/usr/bin
brltty: environment variable set: SHELL: /bin/sh
brltty: temporary capability already added: cap_sys_admin (for isolating namespaces)
brltty: isolating namespace: cgroup (control groups)
brltty: isolating namespace: IPC (System V interprocess communication objects and POSIX message queues)
brltty: isolating namespace: mount (mount points)
brltty: isolating namespace: UTS (host name and NIS domain name)
brltty: unprivileged user not configured
brltty: continuing to execute as the invoking user: root
brltty: not claiming state directories
brltty: working directory changed: /var/lib/brltty
brltty: environment variable set: HOME: /var/lib/brltty
brltty: starting host command: /sbin/modprobe -q pcspkr
brltty: host command exit status: 0: /sbin/modprobe
brltty: starting host command: /sbin/modprobe -q uinput
brltty: host command exit status: 0: /sbin/modprobe
brltty: unknown group: dialout
brltty: path not group readable: /dev/uinput
brltty: path not group writable: /dev/uinput
brltty: setting supplementary groups: 0(root) 5(tty) 971(pulse-access) 977(brlapi) 987(uucp) 993(input) 995(audio)
brltty: unknown group: dialout
brltty: path not group readable: /dev/uinput
brltty: path not group writable: /dev/uinput
brltty: capabilities: after relinquish: cap_sys_admin,cap_sys_tty_config,cap_mknod=ep
brltty: pushed command environment: initial
brltty: report listener registered: 0: handleUpdateBrailleDeviceOnline
brltty: program exit event added: screen-data
brltty: Working Directory: /var/lib/brltty
brltty: Configuration File: /etc/brltty.conf
brltty: Preferences File: brltty.prefs
brltty: file opened: /root/.config/brltty/brltty.prefs fd=6
brltty: file opened: /root/.config/brltty/brltty.prefs fd=6
brltty: program exit event added: tunes
brltty: tune thread state change: 0 -> 1
brltty: tune thread state change: 1 -> 3
brltty: regions: text=0.0 status=0.0
brltty: shifts: full=1 half=0 vertical=5
brltty: program exit event added: prompt-patterns
brltty: Updatable Directory: /var/lib/brltty
brltty: Writable Directory: /var/run/brltty
brltty: Drivers Directory: /usr/lib/brltty
brltty: Tables Directory: /usr/share/brltty
brltty: compiling text table: /usr/share/brltty/Text/aura.ttb
brltty: file opened: /etc/xdg/brltty/aura.ttb fd=10
brltty: including data file: /usr/share/brltty/Text/aura.ttb
brltty: lock descriptor allocated: text-table
brltty: Text Table: aura
brltty: program exit event added: text-table
brltty: Attributes Table: left_right
brltty: program exit event added: attributes-table
brltty: program exit event added: contraction-table
brltty: Contraction Table: none
brltty: Keyboard Property: type=
brltty: Keyboard Property: vendor=
brltty: Keyboard Property: product=
brltty: program exit event added: keyboard-table
brltty: Keyboard Table: none
brltty: program exit event added: screen-driver
brltty: activity action request: screen-driver: start
brltty: activity state change: screen-driver: 4[preparing]
brltty: activity state change: screen-driver: 1[prepared]
brltty: activity state change: screen-driver: 2[scheduled]
brltty: program exit event added: braille-data
brltty: program exit event added: braille-driver
brltty: activity action request: braille-driver: start
brltty: activity state change: braille-driver: 4[preparing]
brltty: Braille Display Dimensions: 1 row, 1 column
brltty: regions: text=0.1 status=0.0
brltty: shifts: full=1 half=0 vertical=5
brltty: activity state change: braille-driver: 1[prepared]
brltty: activity state change: braille-driver: 2[scheduled]
brltty: program exit event added: speech-data
brltty: program exit event added: speech-driver
brltty: activity action request: speech-driver: start
brltty: activity state change: speech-driver: 4[preparing]
brltty: activity state change: speech-driver: 1[prepared]
brltty: activity state change: speech-driver: 2[scheduled]
brltty: Speech Input: none
brltty: BrlAPI Server: release 0.8.0
brltty: API Parameter: auth=
brltty: API Parameter: host=
brltty: API Parameter: stacksize=
brltty: program exit event added: address-table
brltty: program exit event added: api-server
brltty: program exit event added: sessions
brltty: pushed command environment: main
brltty: pushed command handler: unhandled
brltty: pushed command handler: miscellaneous
brltty: pushed command handler: learn
brltty: pushed command handler: speech
brltty: lock descriptor allocated: main-clipboard
brltty: program exit event added: main-clipboard
brltty: pushed command handler: clipboard
brltty: pushed command handler: preferences
brltty: pushed command handler: toggle
brltty: report listener registered: 3: brailleWindowUpdatedListener
brltty: pushed command handler: touch
brltty: report listener registered: 0: keycodeCommandDataResetListener
brltty: pushed command handler: keycodes
brltty: report listener registered: 0: inputCommandDataResetListener
brltty: pushed command handler: input
brltty: pushed command handler: navigation
brltty: pushed command handler: screen
brltty: pushed command handler: custom
brltty: pushed command handler: API
brltty: activity state change: screen-driver: 6[starting]
brltty: checking for screen driver: lx
brltty: initializing screen driver: lx
brltty: device directory: /dev
brltty: checking screen device: /dev/vcsa
brltty: screen device: vcsa
brltty: checking console device: /dev/tty0
brltty: console device: tty0
brltty: checking unicode device: /dev/vcsu
brltty: unicode device: vcsu
brltty: cannot open device: /dev/tty1: Lupa ev?tty
brltty: cannot contain device files: /var/run/brltty
brltty: screen driver initialization failed: lx
brltty: screen driver not found
brltty: activity action failed: screen-driver: start
brltty: activity state change: screen-driver: 2[scheduled]
brltty: activity state change: braille-driver: 6[starting]
brltty: checking braille device: bluetooth:
brltty: braille device type: Bluetooth
brltty: program exit event added: bluetooth-device-queue
brltty: checking for braille driver: fs
brltty: initializing braille driver: fs -> bluetooth:
brltty: activity state change: speech-driver: 6[starting]
brltty: no autodetectable speech drivers
brltty: checking for speech driver: no
brltty: initializing speech driver: no
brltty: Speech Driver: no [NoSpeech]
brltty: NoSpeech Speech Driver:
brltty: activity state change: speech-driver: 3[started]
brltty: activity state change: screen-driver: 6[starting]
brltty: checking for screen driver: lx
brltty: initializing screen driver: lx
brltty: checking screen device: /dev/vcsa
brltty: screen device: vcsa
brltty: checking console device: /dev/tty0
brltty: console device: tty0
brltty: checking unicode device: /dev/vcsu
brltty: unicode device: vcsu
brltty: cannot open device: /dev/tty1: Lupa ev?tty
brltty: cannot contain device files: /var/run/brltty
brltty: screen driver initialization failed: lx
brltty: screen driver not found
brltty: activity action failed: screen-driver: start
brltty: activity state change: screen-driver: 2[scheduled]
brltty: braille driver initialization failed: fs -> bluetooth:
brltty: braille driver not found
brltty: checking braille device: usb:
brltty: braille device type: USB
brltty: checking for braille driver: fs
brltty: initializing braille driver: fs -> usb:
brltty: USB: Manufacturer Name: Freedom Scientific
brltty: USB: Product Description: Focus 3
brltty: USB: Serial Number: 0123456
brltty: program exit event added: sorted-usb-serial-adapters
brltty: Detected Focus 40: cells=40, firmware=5.71
brltty: Manufacturer: FREEDOM SCIENTIFIC
brltty: Model: Focus 40
brltty: Firmware: 5.71
brltty: Braille Display Dimensions: 1 row, 40 columns
brltty: regions: text=0.40 status=0.0
brltty: shifts: full=40 half=20 vertical=5
brltty: Key Bindings: focus40
brltty: program exit event added: sorted-command-table
brltty: file opened: /etc/xdg/brltty/focus40.ktb fd=25
brltty: including data file: /usr/share/brltty/Input/fs/focus40.ktb
brltty: file opened: /etc/xdg/brltty/focus_blue.kti fd=26
brltty: including data file: /etc/xdg/brltty/focus_blue.kti
brltty: program exit event added: sorted-keyboard-functions
brltty: Key Table: /usr/share/brltty/Input/fs/focus40.ktb
brltty: constructing special screen: help
brltty: lock descriptor allocated: braille-driver
brltty: braille is online
brltty: Braille Driver: fs [FreedomScientific]
brltty: FreedomScientific Braille Driver:
brltty: Braille Device: usb:
brltty: Old Preferences File: /etc/brltty-fs.prefs
brltty: report listener registered: 0: brlapi_handleReports
brltty: regions: text=0.40 status=0.0
brltty: shifts: full=40 half=20 vertical=5
brltty: setting braille firmness: 4
brltty: activity state change: braille-driver: 3[started]
brltty: report listener unregistered: 0: brlapi_handleReports
brltty: pushed command environment: message
brltty: pushed command handler: message
brltty: program exit event added: command-queue
brltty: command: 00001D (HOME: go to screen cursor)
brltty: popped command handler: message
brltty: popped command environment: message
brltty: report listener registered: 0: brlapi_handleReports
brltty: activity state change: screen-driver: 6[starting]
brltty: checking for screen driver: lx
brltty: initializing screen driver: lx
brltty: checking screen device: /dev/vcsa
brltty: screen device: vcsa
brltty: checking console device: /dev/tty0
brltty: console device: tty0
brltty: checking unicode device: /dev/vcsu
brltty: unicode device: vcsu
brltty: cannot open device: /dev/tty1: Lupa ev?tty
brltty: cannot contain device files: /var/run/brltty
brltty: screen driver initialization failed: lx
brltty: screen driver not found
brltty: activity action failed: screen-driver: start
brltty: activity state change: screen-driver: 2[scheduled]
brltty: stopping program components
brltty: stopping program component: command-queue
brltty: stopping program component: sorted-keyboard-functions
brltty: stopping program component: sorted-command-table
brltty: stopping program component: sorted-usb-serial-adapters
brltty: stopping program component: bluetooth-device-queue
brltty: stopping program component: main-clipboard
brltty: stopping program component: sessions
brltty: popped command handler: API
brltty: popped command handler: custom
brltty: popped command handler: screen
brltty: popped command handler: navigation
brltty: popped command handler: input
brltty: report listener unregistered: 0: inputCommandDataResetListener
brltty: popped command handler: keycodes
brltty: report listener unregistered: 0: keycodeCommandDataResetListener
brltty: popped command handler: touch
brltty: report listener unregistered: 3: brailleWindowUpdatedListener
brltty: popped command handler: toggle
brltty: popped command handler: preferences
brltty: popped command handler: clipboard
brltty: popped command handler: speech
brltty: popped command handler: learn
brltty: popped command handler: miscellaneous
brltty: popped command handler: unhandled
brltty: popped command environment: main
brltty: stopping program component: api-server
brltty: report listener unregistered: 0: brlapi_handleReports
brltty: select: Keskeytetty j?rjestelm?kutsu
brltty: stopping program component: address-table
brltty: stopping program component: speech-driver
brltty: activity action request: speech-driver: stop
brltty: activity state change: speech-driver: 9[stopping]
brltty: activity state change: speech-driver: 0[stopped]
brltty: stopping program component: speech-data
brltty: stopping program component: braille-driver
brltty: pushed command environment: message
brltty: pushed command handler: message
brltty: popped command handler: message
brltty: popped command environment: message
brltty: activity action request: braille-driver: stop
brltty: activity state change: braille-driver: 9[stopping]
brltty: braille is offline
brltty: activity state change: braille-driver: 0[stopped]
brltty: stopping program component: braille-data
brltty: stopping program component: screen-driver
brltty: activity action request: screen-driver: stop
brltty: activity state change: screen-driver: 1[prepared]
brltty: activity state change: screen-driver: 0[stopped]
brltty: stopping program component: keyboard-table
brltty: stopping program component: contraction-table
brltty: lock descriptor allocated: contraction-table
brltty: stopping program component: attributes-table
brltty: lock descriptor allocated: attributes-table
brltty: stopping program component: text-table
brltty: stopping program component: prompt-patterns
brltty: stopping program component: tunes
brltty: tune thread state change: 3 -> 4
brltty: tune thread state change: 4 -> 5
brltty: stopping program component: screen-data
brltty: destructing special screen: help
brltty: stopping program component: log
brltty: stopping program component: queue
brltty: stopping program component: program-directory
brltty: stopping program component: program-path
brltty: stopping program component: options
brltty: stopped program components
popped command environment: initial
stopping program components
stopped program components
More information about the BRLTTY
mailing list