[BRLTTY] BRLTTY, systemd and unprivileged user

Dave Mielke Dave at mielke.cc
Sat Aug 22 16:23:59 EDT 2020 

[quoted lines by Aura Kelloniemi on 2020/08/22 at 08:57 +0300]

>BRLTTY changes to user brltty:brltty, but for some reason the capability
>assignments don't work and the process is non-functional. 

This should (must) be figured out. Please capture and post a debug log for when
brltty starts up. Use -L/path/to/logfile, and -ldebug should be enough.

i'm wondering if you may have a mixture of older and newer systemd units/files.
Or, maybe, you have an incomplete setup. Which systemd-related files do you
currently have insalled?

The output from systemd status and journal would probably be helpful.

>I have not found a way to prevent BRLTTY from changing the user without
>deleting the user or passing --with-privilege-parameters to configure. I would
>like to have a way o disable the UIDchange, something like
>--privilege-parameters=lx:user= on BRLTTY command line.

That'd be a way to bypass a distribution's security policy.

>When I manage to run BRLTTY as root, it changes to the directory
>/var/run/brltty and tries to create device nodes there. However, /var/run is
>mounted with nodev flag by systemd, because of security reasons. As a result,
>BRLTTY does not have access to screen contents (or any other devices). I fixed
>this temporarily by setting writable-directory to /root/brltty-runtime/ brltty.conf.

Brltty shouldn't be creating those devices. Sure, it'll try, but what this
situation really means is that something about the setup is wrong. In this
case, I'm suspecting that it's runniog as an unprivieleged user but doesn't
have the needed group memberships. Again, a debug log would be helpful.

It could be that you didn't install the sysusers brltty.conf file. It probably
means that the brltty user doesn't have its needed supplementary group list.

>When I attach my display using USB, a new BRLTTY process is started, but
>because it cannot access the screen contents, it is stopped again, and
>restarted. This process of starting and stopping loops endlessly. For some
>reason the writable-directory option that I configured in brltty.conf does not
>seem to take effect. Also it is not possible to disable executing these units,
>nor can they be stopped manually with systemctl.

For now, disable brltty's udev rules.

>systemd complains that brltty at .service depends on systemd-udev-settle.service
>which is deprecated, and should no more be used.

Does anything say what should be used instead?

-- 
I believe the Bible to be the very Word of God: http://Mielke.cc/bible/
Dave Mielke            | 2213 Fox Crescent | WebHome: http://Mielke.cc/
EMail: Dave at Mielke.cc  | Ottawa, Ontario   | Twitter: @Dave_Mielke
Phone: +1 613 726 0014 | Canada  K2A 1H7   |

More information about the BRLTTY mailing list