| 1 |
Hi |
| 2 |
|
| 3 |
I've opened issue #1159 on SDDM Github [1], with a patch that makes |
| 4 |
better use of "initgroups" and "pam_setcreds", I hope. |
| 5 |
|
| 6 |
@Remy Blank if you could try the patch and comment on the issue, that |
| 7 |
may help SDDM project members to evaluate it. |
| 8 |
|
| 9 |
Thanks |
| 10 |
|
| 11 |
Best regards |
| 12 |
Mickaël Bucas |
| 13 |
|
| 14 |
[1] https://github.com/sddm/sddm/issues/1159 |
| 15 |
|
| 16 |
Le ven. 19 avr. 2019 à 00:34, Mickaël Bucas <mbucas@×××××.com> a écrit : |
| 17 |
> |
| 18 |
> Le lun. 15 avr. 2019 à 20:26, Remy Blank <remy.blank@×××××.com> a écrit : |
| 19 |
> > |
| 20 |
> > > After a reboot, the problem disappears for a while, but comes again, |
| 21 |
> > > and I didn't find what could trigger it. |
| 22 |
> > > I can't figure what KDE could have to do with user groups returned by |
| 23 |
> > > the kernel ! |
| 24 |
> > > |
| 25 |
> > > Does anyone have a hint on the origin of this problem ? |
| 26 |
> > |
| 27 |
> > Yes, this is triggered by restarting the xdm service, possibly limited |
| 28 |
> > to sddm users. |
| 29 |
> > |
| 30 |
> > I have noticed the same issue here. Groups are correct after a reboot, |
| 31 |
> > but if I do: |
| 32 |
> > |
| 33 |
> > $ /etc/init.d/xdm restart |
| 34 |
> > |
| 35 |
> > and log into KDE, then I'm a member of all sorts of system groups. I'm |
| 36 |
> > using sddm, maybe it happens with other login managers as well. |
| 37 |
> > |
| 38 |
> > I suspect that this is due to inheriting the supplementary groups of |
| 39 |
> > which "root" is a member at the time the login manager is started. At |
| 40 |
> > boot time, it is a member of no additional groups, whereas in a root |
| 41 |
> > shell, it is: |
| 42 |
> > |
| 43 |
> > # groups |
| 44 |
> > root bin daemon sys adm disk wheel floppy dialout tape video |
| 45 |
> > |
| 46 |
> > I suspect this is a bug in sddm, or maybe in pam. It should drop all |
| 47 |
> > supplementary groups before switching to the user logging in. |
| 48 |
> > |
| 49 |
> > As a workaround, I now always reboot instead of restarting xdm. |
| 50 |
> > |
| 51 |
> > -- Remy |
| 52 |
> |
| 53 |
> Thanks for pointing me to SDDM. After looking at the source code [1] |
| 54 |
> that prepares the user session I think it's not correct. |
| 55 |
> The main problem is that it doesn't call "initgroups" when PAM is |
| 56 |
> enabled. This function is the one that loads the list of local groups |
| 57 |
> for the user. |
| 58 |
> PAM functions should be called afterwards to load additional groups |
| 59 |
> with for example pam_group.so, according to man pam_setcred(3) |
| 60 |
> |
| 61 |
> This is confirmed by looking at the code of XDM for the same action, |
| 62 |
> which calls "initgroups" in all cases [2]. |
| 63 |
> I found this piece of code interesting with for example : |
| 64 |
> # if defined(BSD) && (BSD >= 199103) |
| 65 |
> So it seems it's been around for a really long time ! |
| 66 |
> |
| 67 |
> I also found issue 416 on SDDM [3] on Github that seems to be the same |
| 68 |
> problem, but it has been closed, with a dubious explanation that this |
| 69 |
> would be caused by KDE kinit. |
| 70 |
> I don't believe it because KDE processes are launched with the user |
| 71 |
> session id, and therefore shouldn't be able to add system groups to |
| 72 |
> the session. |
| 73 |
> And if I look at the groups of sddm-greeter when it's running under |
| 74 |
> user "sddm", they are already incorrect before a KDE session is |
| 75 |
> opened. |
| 76 |
> mick@xxx ~ $ grep Groups /proc/$(pidof sddm-greeter)/status |
| 77 |
> Groups: 0 1 2 3 4 6 10 11 26 27 27 243 |
| 78 |
> |
| 79 |
> I will try to modify SDDM code to include "initgroups" where I suppose |
| 80 |
> it should be called. |
| 81 |
> This could result in a new bug or a pull request depending on the results... |
| 82 |
> |
| 83 |
> Best regards |
| 84 |
> Mickaël Bucas |
| 85 |
> |
| 86 |
> [1] https://github.com/sddm/sddm/blob/develop/src/helper/UserSession.cpp |
| 87 |
> [2] https://gitlab.freedesktop.org/xorg/app/xdm/blob/master/xdm/session.c |
| 88 |
> [3] https://github.com/sddm/sddm/issues/416 |
Archives