Bug 127323

Summary: kdm failed to start KDE under linux vserver enviroment
Product: [Unmaintained] kdm Reporter: Soewono Effendi <seffendi>
Component: generalAssignee: kdm bugs tracker <kdm-bugs-null>
Status: RESOLVED NOT A BUG    
Severity: wishlist    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Soewono Effendi 2006-05-14 20:51:56 UTC 
Version:            (using KDE KDE 3.5.2)
Installed from:    Ubuntu Packages
OS:                Linux

For our "next to come" moreubuntu opensource project, which was shown on LinuxTag2006, we have ubuntu and kubuntu running concurrently on one machine using Linux-VServer (http://www.linux-vserver.org)
It is desirable (for security reason) to disable/remove following linux capabilities: CAP_SYS_RAWIO and CAP_SYS_ADMIN.

Without these capabilities kdm failed to login/start KDE session and crashed with following error message:
---
Fatal server error:
xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)
---
Using gdm+gnome everything works just fine.

best regards,
Soewono
Comment 1 Oswald Buddenhagen 2006-05-14 23:28:40 UTC 
that message is coming from the X server. gdm certainly runs it as a different user which has CAP_SYS_RAWIO. please verify.
Comment 2 Soewono Effendi 2006-05-14 23:50:15 UTC 
yes indeed (or maybe?).

using pstree I got the following (other irrelevant stuffs removed):
* for gdm

init-+-gdm--gdm-+-Xorg
                +-x-session-manag--

using kdm 

init-+-kdm-+-Xorg
     +-kdm-startkde-+-kwrapper

I forgot to mention that the crashed happened after the user login, and than logout again, kdm failed to (re)start again, i.e. first kde-session is working, but not after that.
What I try to do is to reduce the linux capabilities in kdm/Xsetup, which works just fine only for the first KDE-session.

Under Gnome I reduce the capabilities in gdm/PostLogin/Default, which works just fine, also after I quite the first session.

I think this is because the different way gdm and kdm are forking the X-session. (Not really sure about that though.)

best regards.
Comment 3 Oswald Buddenhagen 2006-05-15 07:44:11 UTC 
kdm's process tree looks like this:

init-+-kdm-+-Xorg  v- those come in sequence
           +-kdm-+-Xsetup
                 +-kdm_greet
                 +-Xstartup
                 +-Xsession->startkde-+-kwrapper
                 `-Xreset

i wouldn't really call it a bug that kdm happens to be gdm-incompatible regarding the process structure. you just have to adapt your script.
you might need to ensure that the Xserver dies after the session (like in gdm) - use the TerminateServer option then.
Comment 4 Soewono Effendi 2006-05-15 08:38:45 UTC 
I'm agree with you. No, it's _not_ a bug, maybe it's a kind of "optimation" ;)
I tried also to let the Xserver to die after the session, sadly it doesn't help, since I presume the capabilities needed are already dropped.

For sure I could also try to start kde using gdm (still didn't manage to do it though), but it would be really nice, to be able to use native KDE display manager.

best regards and thank you any how.
Comment 5 Oswald Buddenhagen 2006-05-15 18:48:37 UTC 
well, why do you drop the rights of the entire dm? why not just the session sub-daemon (and everything below) and possibly the x server?
Comment 6 Soewono Effendi 2006-05-15 20:50:01 UTC 
Well, it's only for security reason, but I'm open for any suggestions. 

I also tried to reduce the capabilities in /etc/kde3/kdm/Xsession, /etc/kde3/kdm/Xsetup, and also /etc/kde3/kdm/Xstartup. None worked.