I have installed xrdp on my gentoo server. I have it set to start the service in the default runlevel. It seems to work just fine, but with one quirk: When I log into the machine via rdp, none of the user groups are read, except the primary. For example, user joe, is a member of wheel,root,cdrw,cdrom his primary group is users. If I log in as joe, pull up a terminal, and type: 'groups', all it shows is "users". This is a big problem, as I cannot apply any file system security measures on the systems without this functioning. I have many users that need to use the system, and group membership is pivotal. Now, if I log in as root, and shut down xrdp, then start it again, the group problem goes away. I thought that perhaps the xrdp startup script was executing too early, but it is dead last, just before local. What can I do to get this thing to read its groups properly? This will cause all kinds of problems as I won't be there to stop and restart the daemons myself. Any help is appreciated. Thank you. G Reproducible: Always Steps to Reproduce: 1.Install xrdp 2. mkdir /test 3. user add joe 4. passwd joe 5. chown root:root /test 6. chmod 750 test 7. usermod -G root joe 8. Login as oe via xrdp (I'm using KDE) 9. Open konqueror 10. enter /test in the URL bar. Actual Results: 11. Access will be denied. 12. hit alt+F2 and run 'konsole' 13. type: "groups" 14. output is only: "joe" Expected Results: I expect a user's groups to apply when they login. Should make sure it applies to the groups to the user for the session.
The problem is worse than I thought. It doesn't get better restarting xrdp by hand, it just looks like it does. logged into the console, groups work as expected: (logged in as joe on the console) # groups users cdrw cdrom joe (logged in as joe remotely (through rdp in kde environment in a konsole) # groups root bin daemon sys adm tape disk wheel floppy It seems to take groups at random. This is extremely bad. It renders the system completely unusable for my users as they cannot access the folders they should have permission to. Please help.
Okay... I have found that this is a bug with xrdp-0.3.1. I was hoping for a work-around, but the problem is in the sesman binary itself. The maintainer of that application stated that it is fixed in 0.3.2. Since 0.3.2 is not in the portage tree, I compiled it by hand. There were no issues with the compile itself, but there was a problem with xrdp finding libxrdp.so because it was not in the search path (compiled in the binary). I made a link to /lib/libxrdp.so, and it started up fine. It seems to have solved the group problem, but opened the door for another equally as big problem... KDE does not seem to want to start... Still working on that. But, because of this major flaw in xrdp-0.3.1, maybe 0.3.2 should be put in the portage tree (assuming that the startwm.sh issue is fixable).
(In reply to comment #2) This was confirmed as a bug. It was, in fact, fixed in 3.2, and seems to be okay in 4.0.
One can temporary fix this bug by inserting to /usr/lib/xrdp/startwm.sh following lines: pgroups=`groups|tr ' ' '\n'|sort` ugroups=`groups "$USER"|tr ' ' '\n'|sort` if [[ $pgroups != $ugroups ]] ; then exec sudo -H -u $USER "$0" "$@" fi This is ugly and bug-provoke, but works. NB: Use this only until you install 0.3.2 which should fix the bug.
Hi, If you look closely, you'll find that the groups you become member of through xrdp is the same groups that root is member of (plus the user specific group). If I'm not mistaking, this is a serious security issue. Upgrading to 0.4.1 solved this for me. Now lets get this into portage. I have made my own personal ebuild to be placed in the portage overlay - it's a copy of the 0.3.1 ebuild with some minor modifications and new patches. I have attached the files to this bug - BUT PLEASE NOTE: use them at your own discretion. I am not a developer, so I cannot rule out any slips. It builds and works on my system. Someone will need to check them before committing it to portage. On a side note: Does anyone know, why I cannot change the keyboard layout in my remote session? If I try it manually using setxkbmap, I get the error message "XKB extension not present on :11.0"
Created attachment 175398 [details] ebuild and patches for xrdp-0.4.1
(In reply to comment #5) > On a side note: > Does anyone know, why I cannot change the keyboard layout in my remote session? > If I try it manually using setxkbmap, I get the error message "XKB extension > not present on :11.0" > I can't get keyboard input to work at all! Not even at the session manager window. If I supply my username and my VNC password using the client, I can get a desktop/window manager/xterm but I can't type anything. If I don't, I get the login box, but still can't type anything. Oh, and I understand there's an "other" way xrdp works besides just forwarding to a VNC server, but I have no idea what that is. The documentation for this is pretty poor. I think the Gentoo wiki used to have information about how to configure it, but, you know.
> I can't get keyboard input to work at all! Not even at the session manager > window. Let me amend that. I can't get keyboard input to work using Microsoft Remote Desktop Connection for Mac OS X. It works fine with other clients. Weird.
The package has been removed from portage.
