Privilege problem with Konsole, and all of KDE was due to an X-11 configuration issue

I’ve got a show-stopping, SERIOUS problem that I didn’t expect: missing group authorizations.

It took me a while to realize what was going on as I’m new to KDE. However, I’ve now proven that at least Konsole has the flaw of not providing all the logged in user’s group privileges upon creation of windows and tabs. It ONLY provides TWO groups, the GID of the account and, for whatever weird reason “wheel”.

The other 45 groups that I have are missing! However, the system IS configured with these. But to get them, the user has to su into their own account, entering the password, in order to get them.

To prove this is drop-dead simple: In any account that has more groups than just its own GID and wheel, simply run the ‘id’ command, note the missing groups, then call su, either with or without the dash, doesn’t matter, and the same account username, enter the password, and run id again. Then, you’ll see the missing groups are now available.

Just calling bash or otherwise instantiating a new shell DOES NOT CURE THIS PROBLEM.

This MAY explain some other weird behavior I’ve seen from time to time in other KDE applications.

First, I’m shocked this could be the case, but it is, at least in my configuration:

Fedora Server 38
kernel-6.4.15-200.fc38.x86_64
KDE Plasma Version: 5.27.8
KDE Frameworks Version: 5.109.0

Secondly, if this isn’t something that’s resolved by a configuration option, well, then Konsole is a useless waste of time - what’s someone to do, SSH into their OWN box just to get their normal, garden-variety privileges?

Thirdly, if this applies to all of a running instance of KDE, and can’t be configured away, for all its good it does, KDE has a serious problem because it’s useless for serious people. In that case, it can’t be used for the deployment of sophisticated applications because it doesn’t grant privileges properly!

I SURE HOPE this is something that can be configured away.

About the ONLY thing I can think of that MAY bear on this regarding my configuration that KDE developers may not have considered is this:

There’s something seriously wrong with Wayland - it’s immature, apparently - and, nevermind all the detail, I’ve had to side-step it and use X11. However, I’m not able to use the login-desktop-choice feature because, for whatever reason(s), I’m not offered the option when logging in. It’s either Wayland, which seldom doesn’t crash right away, or nothing. So, the system boots as a non-graphical system, I log in, and THEN xinit pointing at the script that starts KDE and this has worked flawlessly. THUS: Instead of root launching KDE, it’s my own user account. Perhaps KDE is confused and decides to remove all my groups thinking that who launched it was root?! Seems unlikely, but maybe?

…I’m just looking for a way out because I like KDE, GNOME is unacceptable on MANY grounds and I’m not thrilled with the other desktop choices I see out there today. HELP!

I checked the Konsole --help information (it has no man page), and found nothing so I did an online search and found this:

I’d think this should be a very high priority issue to fix! I’m still looking into it.

Does the issue reproduce in another terminal emulator app that you install on your system like gnome-terminal? If so, then it appears to be a local misconfiguration on your machine, which is supported by that StackOverflow post.

In the future I would recommend asking for help with less hyperbole and fewer insults. Ideally none. Thanks!

I just installed gnome-terminal, launched it and YES it behaves identically.

BTW, I’m sort of freaked out by this; I didn’t mean to be rude, I’m just in a type of shock. My appologies if I was offensive.

And, that q/a session seems to say it’s the display manager, but I didn’t use one! The one solution someone says worked fine was to use sddm.

I’ve already got it and don’t have GDM, so I’m going through the config now to see how that can help.

However that I didn’t use a display manger at all takes it out of the picture, yes?

I forgive you; thanks a lot for acknowledging that! I was bracing for an angry reply (which unfortunately is what often happens next) so it’s nice that things didn’t go that way.

If gnome-terminal behaves identically, then no KDE software is involved in the problem, and it’s gotta be a local misconfiguration of some sort. I presume this doesn’t happen with a fresh install of the system before you’ve done any tweaking and customization (e.g. in a VM for testing purposes)? If not, then something about the changes you’ve made to the system are the cause of this problem.

Unfortunately I’m not knowledgeable enough about that deep part of the system to help you with it, but maybe someone else can. Either way, it’s a bit out of scope here anyway if it’s not a KDE problem.

Good luck in tracking it down!

Thanks ngraham,

Thank YOU for your kind understanding of the abject shock someone might get at a moment like this!

I’m not 100% sure you’re right about no KDE software not being involved but perhaps since I did a test I didn’t cite wherein I ran the id command before starting X and KDE and it showed all the groups properly. Further, I’ve used X to just start an xterm and know it hands you your full privileges - or, at least, it did whenever I’ve done that in the past.

I’m digging in, though, because I REALLY do like KDE, and really DON’T want to be forced into either a roll-your-own scenario or the “obvious” other choices. . .

…Because I run a small server farm and seem to always be in need of a new installation, while I usually clone work I’ve already done, I could either take a server clone or do a complete one-off and test, but not in a day or three. My schedule’s booked and I’m even behind schedule, and SURE don’t need this delay!

Thanks again for your kind wishes. I’ll report back!

The short of it: I fixed it - it was a configuration issue!

Unhappily, I had a hardware failure on the same system while rebooting to confirm the durability of the solution beyond a reboot as otherwise I’d have reported here sooner. (One of the 6 monitors went out - the primary one, of course!)

As noted above, I wasn’t using a display manager, so the problem wasn’t from either GDM or SDDM.

Before digging into X, I confirmed that:

1. Both Konsole AND gnome-terminal inherit their privileges (in particular their groups) from the parent process)

2. As it was, ALL of KDE lacked all the groups it should have inherited, most notably Dolphin (and, of course Konsole).

I concluded the issue was the then-current privileges (especially groups) that were inherited when KDE was started. However, that was dead-simple: My running shell with all the groups called xinit and the only argument was the same startplasma-x11 that KDE itself uses! THIS is why I was thinking it was a KDE problem, which makes sense if you think about it.

Here’s that script - one short line:

xinit /etc/X11/startplasma-x11

This was in a plain ole BASH script, readily available to any user who logged in via the standard “multi-user.target” mechanism.

So, I dug in to both X-11 and sddm, figuring I could learn about how X and KDE are launched from it. However, because sddm was crashing when trying to startup, I didn’t trust it too much. However, I did hack its configuration to get it to ignore Wayland and focus on X - that failed, though, with a hang and never starting any windowing system at all.

I then created a new “StartKDE” script, emulating what I’d found in the sddm materials, but it didn’t work, either.

So, I poured over the X configuration and made nearly zero changes - in fact, I didn’t think I’d changed ANYTHING, and simply rebooted in frustration, starting it the old way with the script above.

However, when it came up in KDE and I started a Konsole, I ran id, fully expecting no change at all, BUT IT SHOWED ALL THE GROUPS! (And that’s when I rebooted and the display failed.)

I’m angry with myself that I don’t know exactly what change I made that changed the behavior!

I’m a solid believer in leaving bread-crumbs behind for others that follow, but in this instance I fixed it and don’t know how. However, I’m sure it was a very subtle change in the X configuration.

I’m also not very thrilled I was apparently perceived as being offensive. Once again, I apologize.