= sudo admin AT-SPI = * '''Launchpad Entry''': https://launchpad.net/distros/ubuntu/+spec/sudo-admin-atspi * '''Created''': 2006-06-06 by HenrikOmma * '''Contributors''': HenrikOmma, ColinWatson, LukeYelavich * '''Packages affected''': at-spi, gnome-control-center '''The fix to this problem has now been committed to Gnome 2.17.''' (see George's comment at the bottom of the page) == Summary == The admin tools that run in sudo mode corrently do not work with AT-SPI. This needs to be fixed. == Rationale == Ubuntu uses the sudo system to access system administration tools, including the GUI based ones. This presents a unique accessibility limitation for us in that the admin utilities running as root do not communicate their access information to the at-spi enabled assistive tools that run in the user's native session. Whether this is a bug in X, in sudo or in AT-SPI it needs to be resolved so that ubuntu users who rely on AT-SPI can use the admin tools. == Use cases == * Sylvia has Ubuntu installed on her computer and uses an AT-SPI enable magnifier. It currently fails to focus properly on admin utilities that run as sudo. * Sigve has been using the Ubuntu Live CD with help of the built-in screen reader and now wants to install it all to his HD. Unfortunately Ubiquity runs under sudo and therefore does not work properly with AT-SPI on the Live CD. * Oscar uses an on-screen keyboard to enter text into Ubuntu. When trying to access and admin untility however, the screen focus is locked by the password dialog, which makes it impossible for him to type. == Scope == * Provide a way for AT-SPI to communicate with applications running under sudo * Prevent the admin password dialog from grabbing the screen when AT settings are enabled. == Design == * '''AT-SPI sudo communication:''' A connection can be established by patching AT-SPI to use SUDO_USER in its lookup routine. ColinWatson will prepare a patch for testing. * '''preventing focus-grab:''' Add an option on the Assistive Technology Preferences dialog to flag {{{gksu:disable-grab}}} and also flag it by default on the Live CD access profiles. == Implementation == Once the design has been agreed on, it's just two fairly simple patches. == Outstanding issues == * Creating a patch for the Assistive Technology Preferences dialog to alter the {{{gksu:disable-grab}}} gconf key. == BoF agenda and discussion == * Problem with screen reader etc. not working on apps running as root is that accessibility libraries are finding the accessibility bridge by looking in /tmp/orbit-$username-of-current-uid rather than something to do with the display. See http://bugzilla.gnome.org/show_bug.cgi?id=163132. * As a side-effect, this means that a11y doesn't work with remote X displays (eg, LTSP) * The real fix for this is too complicated for us. * However, we think we can make it work by patching the at-spi bridge lookup to use SUDO_USER. This is a grievous hack but doesn't make anything any worse. * ColinWatson: I've investigated orbit2's setup code and found that it uses `g_get_user_name` to find its `/tmp/orbit-*` directory which on Unix picks the username out of `getpwuid`; it should therefore be sufficient to make the at-spi bridge lookup temporarily drop privileges while connecting to the bridge, which means we don't have to mess with orbit2 itself. I volunteer to produce a patch for LukeYelavich to test. * Another problem is that the display-grabbing of gksu prevents the use of a11y tools with the gksu interface (eg, on-screen keyboard). * There is a gconf key named ??? which can disable this display-grabbing. This "solves" the problem in that it makes it possible to use gksu with a11y tools. * It is not currently clear what the real best solution is; there are good reasons for the grab and naively it would be nice if we could somehow exempt the a11y tools but this is hard (the grab is at a very low level) == Comments == SebastianHeinlein: you can disable the grabbing of the keyboard by gksu. change /apps/gksu/disable-grab in gconf to true. JasonGrieves: This is good to bring up! This tool breaks magnifier AND full screen magnification on a very large scale! This needs to be brought up ASAP for Edgy SvenJaborek: just an idea, try executing xhost + as user before starting the admin tool ColinWatson: just an idea, let's not :-) (`xhost +` is evil) BillHaneman: no need to patch this independently, the 'real fix' is about to land in CVS. probably not for gnome-2.17.1 (tonight, 16-Oct-06) but within a week. The magnifier should work across hosts transparently in the sudo context. Not sure what JasonGrieves means about breaking full screen magnification (no connection that I can see). GeorgeKraft: in addition to the 'real fix' for sudo administration (gksu) that BillHaneman mentioned, it also fixes the application SEGV problem if atspi-registryd is missing or broken. The patch tuple is ([[http://bugzilla.gnome.org/show_bug.cgi?id=163132|atspi]], [[http://bugzilla.gnome.org/show_bug.cgi?id=345428|gnome-session]], [[http://bugzilla.gnome.org/show_bug.cgi?id=345434|gdm]])