When using using SDDM 0.20.0, I get the groups of my user concatenated after the groups of the root user In this case, the problems are: - I get access to groups I shouldn't have access to - There are some duplicate groups in the list - I can't write on NFS because the allowed group is above the 16 groups limit of NFS I've set the severity to "Major" because of the groups of root I get access to. However when using SDDM 0.18.1 I get the right list of groups for my user (see below). When I login through SSH, I also get the right list of groups, so it seems it's limited to SDDM. I've already noticed a similar bug in SDDM 0.18.0 and reported it to the SDDM project on 2019-04-20 https://github.com/sddm/sddm/issues/1159 I don't really understand how it evolved since it seems to have been resolved in 0.18.1, but the bug is still open. Maybe it was resolved by the following patch in Gentoo, which references the issue I created :) x11-misc/sddm/files/sddm-0.18.1-honor-PAM-supplemental-groups-v2.patch. $ emerge -pv1 x11-misc/sddm These are the packages that would be merged, in order: Calculating dependencies... done! Dependency resolution took 2.08 s. [ebuild R ] x11-misc/sddm-0.20.0-r1::gentoo USE="elogind -systemd -test" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB # Effective groups under SDDM 0.20.0 $ groups root bin daemon sys adm disk lp wheel wheel floppy uucp cron audio dialout tape video video games apache usb transmission portage vboxusers xfs allowssh allowssh users mick # User's configured groups $ groups mick lp wheel cron audio video games apache usb transmission portage vboxusers xfs allowssh users mick # Duplicates $ groups|tr ' ' '\n'|sort|uniq -c|sort -n 1 adm 1 apache 1 audio 1 bin 1 cron 1 daemon 1 dialout 1 disk 1 floppy 1 games 1 lp 1 mick 1 portage 1 root 1 sys 1 tape 1 transmission 1 usb 1 users 1 uucp 1 vboxusers 1 xfs 2 allowssh 2 video 2 wheel # New login through SSH $ ssh localhost # Correct list of groups $ groups lp wheel cron audio video games apache usb transmission portage vboxusers xfs allowssh users mick # After masking 0.20.0, emerging 0.18.1 and restarting /etc/init.d/display-manager $ emerge -pv1 x11-misc/sddm These are the packages that would be merged, in order: Calculating dependencies... done! Dependency resolution took 2.07 s. [ebuild R ] x11-misc/sddm-0.18.1-r8::gentoo USE="elogind pam -systemd -test" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB # Effective groups are equal to configured groups $ groups lp wheel cron audio video games apache usb transmission portage vboxusers xfs allowssh users mick # User's configured groups $ groups mick lp wheel cron audio video games apache usb transmission portage vboxusers xfs allowssh users mick Reproducible: Always Steps to Reproduce: 1. Update to SDDM 0.20.0 =x11-misc/sddm-0.20.0-r1 and restart service 2. Open a KDE session Actual Results: Invalid list of groups Expected Results: The user should only have the configured groups in the session Portage 3.0.49 (python 3.11.5-final-0, default/linux/amd64/17.1, gcc-12, glibc-2.37-r3, 6.1.53-gentoo-x86_64 x86_64) ================================================================= System uname: Linux-6.1.53-gentoo-x86_64-x86_64-AMD_Ryzen_7_5700X_8-Core_Processor-with-glibc2.37 KiB Mem: 32777164 total, 3882244 free KiB Swap: 33554428 total, 33548284 free Timestamp of repository gentoo: Mon, 25 Sep 2023 00:31:32 +0000 Head commit of repository gentoo: 5720c84c9e9aa6ac10120e3e64dbf7def0028358 Timestamp of repository steam-overlay: Sat, 23 Sep 2023 20:31:33 +0000 Head commit of repository steam-overlay: 275ac47be3a1baa90b370f1600884e2f979e5bd7 sh bash 5.1_p16-r6 ld GNU ld (Gentoo 2.40 p5) 2.40.0 distcc 3.4 x86_64-pc-linux-gnu [disabled] app-misc/pax-utils: 1.3.5::gentoo app-shells/bash: 5.1_p16-r6::gentoo dev-java/java-config: 2.3.1-r1::gentoo dev-lang/perl: 5.38.0-r1::gentoo dev-lang/python: 3.11.5::gentoo dev-lang/rust: 1.72.0::gentoo dev-util/cmake: 3.26.5-r2::gentoo dev-util/meson: 1.2.1-r1::gentoo sys-apps/baselayout: 2.14::gentoo sys-apps/openrc: 0.48::gentoo sys-apps/sandbox: 2.37::gentoo sys-devel/autoconf: 2.13-r7::gentoo, 2.71-r6::gentoo sys-devel/automake: 1.16.5-r1::gentoo sys-devel/binutils: 2.40-r5::gentoo sys-devel/binutils-config: 5.5::gentoo sys-devel/clang: 15.0.7-r3::gentoo, 16.0.6::gentoo, 17.0.1::gentoo sys-devel/gcc: 12.3.1_p20230526::gentoo, 13.2.1_p20230826::gentoo sys-devel/gcc-config: 2.11::gentoo sys-devel/libtool: 2.4.7-r1::gentoo sys-devel/lld: 16.0.6::gentoo sys-devel/llvm: 15.0.7-r3::gentoo, 16.0.6::gentoo, 17.0.1::gentoo sys-devel/make: 4.4.1-r1::gentoo sys-kernel/linux-headers: 6.1::gentoo (virtual/os-headers) sys-libs/glibc: 2.37-r3::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: git sync-uri: https://github.com/gentoo-mirror/gentoo.git priority: -1000 volatile: False sync-git-verify-commit-signature: yes mbucas location: /data/Code/GitHub/gentoo-overlay masters: gentoo volatile: True steam-overlay location: /var/db/repos/steam-overlay sync-type: git sync-uri: https://github.com/gentoo-mirror/steam-overlay.git masters: gentoo volatile: False Installed sets: @xorg-x11-apps, @xorg-x11-fonts ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -pipe -fomit-frame-pointer -march=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /var/spool/munin-async/.ssh" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php8.1/ext-active/ /etc/php/cgi-php8.1/ext-active/ /etc/php/cli-php8.1/ext-active/ /etc/php/fpm-php8.1/ext-active/ /etc/php/phpdbg-php8.1/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O3 -pipe -fomit-frame-pointer -march=native" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS="--jobs 20 --load-average 20" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="fr_FR.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LEX="flex" LINGUAS="fr" MAKEOPTS="--jobs 20 --load-average 20" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/bash" USE="X alsa amd64 bash-completion bzip2 cairo cli crypt dbus dri elogind encode exif ffmpeg flac fontconfig fortran gd gif graphviz gstreamer gtk iconv imlib ipv6 java jpeg kde libtirpc mad mng mp3 mpeg multilib mysql ncurses nls nptl ogg opengl openmp pam pcre perl php png postgres python qt5 quicktime readline samba sdl seccomp spell split-usr sql ssl svg test-rust tiff truetype udev unicode vaapi vdpau vhosts vorbis xattr xml xpm xv zlib" ABI_X86="64 32" ADA_TARGET="gnat_2021" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_core authn_dbd authn_dbm authn_default authn_file authz_core authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http proxy_html rewrite setenvif slotmem_shm so socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias xml2enc" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 f16c fma3 pclmul popcnt rdrand sha sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="fr" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-1" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_11" PYTHON_TARGETS="python3_11" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby31" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
Yes, this was fixed in sddm-0.18.1 by applying sddm-0.18.1-honor-PAM-supplemental-groups-v2.patch. Unfortunately, it seems the fix was never merged upstream. The code has changed enough that applying the same patch is not possible.
