FS#28401 - [brltty] brlapi.key file missing from install
Attached to Project:
Arch Linux
Opened by Timothy (timthelion) - Monday, 13 February 2012, 17:22 GMT
Last edited by Ionut Biru (wonder) - Monday, 13 February 2012, 19:55 GMT
Opened by Timothy (timthelion) - Monday, 13 February 2012, 17:22 GMT
Last edited by Ionut Biru (wonder) - Monday, 13 February 2012, 19:55 GMT
|
Details
Description:
The brlapi.key file is required for brlapi to work. I didn't catch this before, because the key file had allready been created on my system. However, http://mielke.cc/pipermail/brltty/2012-February/008417.html someone pointed the problem out to me. The key file can contain anything, it just has to be there. <http://wiki.debian.org/accessibility> It is an old security measure that makes no sense on single user systems. It's still hanging around from back in the days when there could be multiple physical tty's on a single mainframe. The idea was that only braille users should be able to control the braille displays, to prevent third party users from sending them random messages/taking control of their displays. This is what I propose we change to make this work proper. $ diff PKGBUILD PKGBUILD.old 8c8 < pkgrel=4 --- > pkgrel=3 18d17 < install='brlapikey.install' 37c36 < echo "ac6276a926422b9cf0cffdbd3679bd72" > "$srcdir/brlapi.key" --- > 46d44 < install -D -m644 "$srcdir/brlapi.key" "$pkgdir/etc/brlapi.key" |
This task depends upon
Closed by Ionut Biru (wonder)
Monday, 13 February 2012, 19:55 GMT
Reason for closing: Fixed
Additional comments about closing: brltty-4.3-4
Monday, 13 February 2012, 19:55 GMT
Reason for closing: Fixed
Additional comments about closing: brltty-4.3-4
They don't take in consideration INSTALL_ROOT= variable used in make install
In Programs/Makefile.in the following target exists:
install-api-key:
file=$(sysconfdir)/$(API_AUTHFILE) && \
if test ! -f $$file -a -w $(sysconfdir) -a -z "$(INSTALL_ROOT)"; \
then umask 077 && $(SRC_DIR)/brltty-genkey $$file; fi
need INSTALL_ROOT
Anyway, the problem is that it does not make sense to include
brlapi.key in a binary package: its content is supposed to be generated
at installation time and kept secret, a bit like the ssh host key
generation. Putting the value in publicly-downloadable binary packages
completely defeats the purpose of the file.
It does have a sense now after you explained, not to include the key into the package, instead I could try to generate one from /etc/rc.d/brltty using brltty-genkey.
Are you familiar on how other distros do it?
post_install(){
./brltty-genkey /etc/brlapi.key
chmod 640 /etc/brlapi.key
groupadd braille
chgrp braille /etc/brlapi.key
echo "Please add your user to the braille group."
}
""Authorization.
Since Unix is designed to allow many users to work on the same machine, it's quite possible that there are more than one user accounts on the system. Most probably, one doesn't want any user with an account on the machine to be able to communicate with the braille terminal (just imagine what would happen if, while somebody was working with the braille terminal, another user connected to the system began to communicate with it, preventing the first one from doing his job...). That's why BrlAPI has to provide a way to determine whether a user who established a connection is really allowed to communicate with the braille terminal. To achieve this, BrlAPI requires that each application that wants to control a braille terminal sends an authorization key before doing anything else. The control of the braille terminal will only be possible for the client once it has sent the proper authorization key. What is called authorization key is in fact a Unix file containing data (it must be non-empty) on your system. All the things you have to do is to give read permissions on this file to users that are allowed to communicate with the braille terminal, and only to them. This way, only authorized users will have access to the authorization key and then be able to send it to BrlAPI. To see how to do that, please see chapter Installation and configuration.
At the end of this step, the user is authorized to take control of the braille terminal. On brltty's side, some data structures are allocated to store information on the client, but this has no user-level side-effect.
""