[pkg-fso-maint] Bug#595750: nodm: allows all local users (and not just NODM_USER) to connect to (and eavesdrop, screenshot, etc.) the X server
Timo Juhani Lindfors
timo.lindfors at iki.fi
Mon Sep 6 12:23:05 UTC 2010
Package: nodm
Version: 0.7-1
Severity: important
Tags: security
Steps to reproduce:
1) sudo apt-get install nodm
2) Configure /etc/default/nodm to something like
$ cat /etc/default/nodm
# nodm configuration
# Set NODM_ENABLED to something different than 'false' to enable nodm
NODM_ENABLED=true
# User to autologin for
NODM_USER=lindi
# xinit program
NODM_XINIT=/usr/bin/xinit
# First vt to try when looking for free VTs
NODM_FIRST_VT=7
# X session
NODM_XSESSION=/etc/X11/Xsession
# Options for the X server
NODM_X_OPTIONS='vt7 -nolisten tcp'
# If an X session will run for less than this time in seconds, nodm will wait an
# increasing bit of time before restarting the session.
NODM_MIN_SESSION_TIME=60
3) sudo /etc/init.d/nodm start
4) xclock
5) sudo -u nobody sh -c 'xclock'
Expected results:
4) "lindi"'s xclock can connect to the X server since he is logged in.
5) "nobody"'s xclock can _not_ connect to the X server
Actual results:
4) "lindi"'s xclock can connect to the X server since he is logged in.
5) "nobody"'s xclock can connect to the X server
More info:
1) "ps f -eo user,cmd" shows that the -auth option is not passed to X:
root /usr/sbin/nodm
root \_ /usr/bin/xinit /usr/sbin/nodm -- vt8 vt7 -nolisten tcp
root \_ X :0 vt8 vt7 -nolisten tcp
lindi \_ /usr/sbin/nodm
lindi \_ /bin/sh -l -c /etc/X11/Xsession
lindi \_ icewm
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: armel (armv4tl)
Kernel: Linux 2.6.29-GTA02_lindi2-andy-tracking-mokodev
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages nodm depends on:
ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy
ii libc6 2.11.2-5 Embedded GNU C Library: Shared lib
ii libpam0g 1.1.1-4 Pluggable Authentication Modules l
ii x11-common 1:7.5+6 X Window System (X.Org) infrastruc
ii x11-xserver-utils 7.5+2 X server utilities
ii xinit 1.2.0-2 X server initialisation tool
nodm recommends no packages.
nodm suggests no packages.
-- debconf information:
nodm/xinit: /usr/bin/xinit
nodm/min_session_time: 60
nodm/enabled: false
nodm/xsession: /etc/X11/Xsession
nodm/x_options: vt7 -nolisten tcp
nodm/first_vt: 7
nodm/user: root
More information about the pkg-fso-maint
mailing list