1 |
Hi |
2 |
|
3 |
I've opened issue #1159 on SDDM Github [1], with a patch that makes |
4 |
better use of "initgroups" and "pam_setcreds", I hope. |
5 |
|
6 |
@Remy Blank if you could try the patch and comment on the issue, that |
7 |
may help SDDM project members to evaluate it. |
8 |
|
9 |
Thanks |
10 |
|
11 |
Best regards |
12 |
Mickaël Bucas |
13 |
|
14 |
[1] https://github.com/sddm/sddm/issues/1159 |
15 |
|
16 |
Le ven. 19 avr. 2019 à 00:34, Mickaël Bucas <mbucas@×××××.com> a écrit : |
17 |
> |
18 |
> Le lun. 15 avr. 2019 à 20:26, Remy Blank <remy.blank@×××××.com> a écrit : |
19 |
> > |
20 |
> > > After a reboot, the problem disappears for a while, but comes again, |
21 |
> > > and I didn't find what could trigger it. |
22 |
> > > I can't figure what KDE could have to do with user groups returned by |
23 |
> > > the kernel ! |
24 |
> > > |
25 |
> > > Does anyone have a hint on the origin of this problem ? |
26 |
> > |
27 |
> > Yes, this is triggered by restarting the xdm service, possibly limited |
28 |
> > to sddm users. |
29 |
> > |
30 |
> > I have noticed the same issue here. Groups are correct after a reboot, |
31 |
> > but if I do: |
32 |
> > |
33 |
> > $ /etc/init.d/xdm restart |
34 |
> > |
35 |
> > and log into KDE, then I'm a member of all sorts of system groups. I'm |
36 |
> > using sddm, maybe it happens with other login managers as well. |
37 |
> > |
38 |
> > I suspect that this is due to inheriting the supplementary groups of |
39 |
> > which "root" is a member at the time the login manager is started. At |
40 |
> > boot time, it is a member of no additional groups, whereas in a root |
41 |
> > shell, it is: |
42 |
> > |
43 |
> > # groups |
44 |
> > root bin daemon sys adm disk wheel floppy dialout tape video |
45 |
> > |
46 |
> > I suspect this is a bug in sddm, or maybe in pam. It should drop all |
47 |
> > supplementary groups before switching to the user logging in. |
48 |
> > |
49 |
> > As a workaround, I now always reboot instead of restarting xdm. |
50 |
> > |
51 |
> > -- Remy |
52 |
> |
53 |
> Thanks for pointing me to SDDM. After looking at the source code [1] |
54 |
> that prepares the user session I think it's not correct. |
55 |
> The main problem is that it doesn't call "initgroups" when PAM is |
56 |
> enabled. This function is the one that loads the list of local groups |
57 |
> for the user. |
58 |
> PAM functions should be called afterwards to load additional groups |
59 |
> with for example pam_group.so, according to man pam_setcred(3) |
60 |
> |
61 |
> This is confirmed by looking at the code of XDM for the same action, |
62 |
> which calls "initgroups" in all cases [2]. |
63 |
> I found this piece of code interesting with for example : |
64 |
> # if defined(BSD) && (BSD >= 199103) |
65 |
> So it seems it's been around for a really long time ! |
66 |
> |
67 |
> I also found issue 416 on SDDM [3] on Github that seems to be the same |
68 |
> problem, but it has been closed, with a dubious explanation that this |
69 |
> would be caused by KDE kinit. |
70 |
> I don't believe it because KDE processes are launched with the user |
71 |
> session id, and therefore shouldn't be able to add system groups to |
72 |
> the session. |
73 |
> And if I look at the groups of sddm-greeter when it's running under |
74 |
> user "sddm", they are already incorrect before a KDE session is |
75 |
> opened. |
76 |
> mick@xxx ~ $ grep Groups /proc/$(pidof sddm-greeter)/status |
77 |
> Groups: 0 1 2 3 4 6 10 11 26 27 27 243 |
78 |
> |
79 |
> I will try to modify SDDM code to include "initgroups" where I suppose |
80 |
> it should be called. |
81 |
> This could result in a new bug or a pull request depending on the results... |
82 |
> |
83 |
> Best regards |
84 |
> Mickaël Bucas |
85 |
> |
86 |
> [1] https://github.com/sddm/sddm/blob/develop/src/helper/UserSession.cpp |
87 |
> [2] https://gitlab.freedesktop.org/xorg/app/xdm/blob/master/xdm/session.c |
88 |
> [3] https://github.com/sddm/sddm/issues/416 |