Bug 204150

Summary:	audio permissions are wrong for accessible login
Product:	[Fedora] Fedora	Reporter:	George Kraft <gk4>
Component:	hal	Assignee:	David Zeuthen <davidz>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	medium
Version:	rawhide	CC:	harald, mclasen, pknirsch, tao, tmraz
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
URL:	http://live.gnome.org/LSR/AccessibleLogin
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-08-17 17:18:42 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description George Kraft 2006-08-25 21:18:42 UTC

Description of problem:
text-to-speech does not work for screen readers during accessible gdmgreeter login.

Version-Release number of selected component (if applicable):
setup-2.5.49-1
gdm-2.14.9-1

How reproducible:
turn on acessible login

Steps to Reproduce:
1. gdmsetup, turn on accessible login
2. gdmgreeter, ctrl-s to start screen reader with tts
3. tail /etc/gdm/modules/AccessKeyMouseEvents
  
Actual results:
screen reader starts, but i dont hear the screen reader announce that is has
started.

Expected results:
when the screen reader starts it should use tts to announce that it has started

Additional info:
see the access guide info regarding accessible login setup.  the problem is that
 FC5 does not have group audio, user gdm is not in group audio, and devices
/dev/snd/* and /dev/dsp are not in group audio.  fix the audio permissions for
user gdm then accessible login should work.

/usr/sbin/groupadd audio
/usr/sbin/usermod -G audio gdm

cat >> /etc/rc.local << HERE_DOCUMENT
chgrp audio /dev/snd/* /dev/dsp
chmod g+rw /dev/snd/* /dev/dsp
HERE_DOCUMENT

Comment 1 George Kraft 2006-08-31 21:06:00 UTC

Please ignore the previous recommendation of changing the sound device
permissions via rc.local, but rather change the console sound mode to 0600 and
group to audio via the file /etc/security/console.perms.d/50-default.perms

<console>  0600 <sound>      0660 root.audio

Comment 2 George Kraft 2007-04-10 20:23:26 UTC

Problem persists on RHEL5.

Comment 3 Phil Knirsch 2007-05-23 13:27:51 UTC

The file /etc/security/console.perms.d/50-default.perms is part of pam, so it
needs to be changed there.

Reassigning to pam.

Read ya, Phil

Comment 4 Tomas Mraz 2007-05-23 13:35:48 UTC

Well, the fix has to be done in pam, setup and probably also udev. The audio
group must be added to setup first, then pam and udev (I'm not sure if udev
calls  pam_console_apply always or not) should be modified to set
group+permissions of audio device nodes to audio+0660.

Comment 5 George Kraft 2007-08-17 15:22:33 UTC

What is the status on finishing this?  RHEL5 now depends on this via 244688.

Comment 6 Tomas Mraz 2007-08-17 15:27:39 UTC

As pam will no longer handle permissions for audio devices in F8 the solution in
RHEL5 will have to be different than in F8.

Comment 7 George Kraft 2007-08-17 15:56:12 UTC

Someone should remove the dependencies.  Bug 204150 does not block 244688, and
bug 244688 does not depend on 204150.  Thanks.

Comment 8 David Zeuthen 2007-08-17 17:18:42 UTC

Since Fedora 7 the 'gdm' user have had the correct ACL (see below) so am going
to close this bug. For RHEL5 you need to clone this bug or open another one.

# getfacl /dev/snd/controlC0 
getfacl: Removing leading '/' from absolute path names
# file: dev/snd/controlC0
# owner: davidz
# group: root
user::rw-
user:gdm:rw-
user:davidz:rw-
group::---
mask::rw-
other::---

Comment 9 George Kraft 2007-08-20 13:04:09 UTC

The getfacl output from comment #8 is shown when user davidz is logged on.  One
should examine when gdm is displaying the login prompt and nobody is logged in.
 From /etc/gdm/Init/Default, if I do a /bin/ls on /dev/snd/controlC0 and
redirect it to a file, then it shows it's owned by root.root with mode 600.  It
does not appear to have the correct ACL on Fedora 7.

Comment 10 David Zeuthen 2007-08-21 16:35:07 UTC

(In reply to comment #9)
> The getfacl output from comment #8 is shown when user davidz is logged on.  One
> should examine when gdm is displaying the login prompt and nobody is logged in.
>  From /etc/gdm/Init/Default, if I do a /bin/ls on /dev/snd/controlC0 and
> redirect it to a file, then it shows it's owned by root.root with mode 600.  It
> does not appear to have the correct ACL on Fedora 7.  

POSIX ACL's are normally not shown in ls output; try using getfacl just like I
did above in comment 8. The ACL's are there, accessible login is working just
fine on Fedora 7 last time I tried. If it doesn't work, please paste the output
of getfacl .