This issue is documented in:

http://forums.slimdevices.com/showthread.php?t=21113
http://forums.slimdevices.com/showthread.php?t=24952&page=2
http://forums.slimdevices.com/showthread.php?t=18559

In summary, Slimserver is not setting it's supplementary groups to those listed in /etc/groups, which is a problem for people who don't want to have their music libraries world readable, and certainly rather counter intuitive.

Having had a closer look at the code, there were also a couple more problems.  Firstly, Slimserver wasn't removing itself from from any supplementary groups inherited at startup.  When started manually, slimserver was running as with primary group 'slimserv' and supplementary groups, 'wheel' and 'operator', which doesn't seem ideal.  Secondly, although I didn't manage to check it, I think it would have been possible to run slimserver as root by simply running 'slimserver.pl --user root'.

Attached is a patch which reworks changeEffectiveUserAndGroup to try to improve this.  The logic is now as follows:

o  If started as a non root user, don't try to change user / groups.  If --user or --groups was passed, then die.
o  If started as root, change to the user specified and that user's primary and supplementary groups.
o  If --group was specified, add that group to the list of supplementary groups.
o  If --user wasn't specified output a warning, and default to user slimserver.


I've briefly tested this under FreeBSD, and expect no problems under any Unix like systems, Win32 systems are unaffected.    The only query I have is over systems that don't support supplementary groups.  Is anyone aware of any such systems actually running Slimserver?

The patch is against 6.5, but it should apply quite happily against the trunk too.