[pkg-fso-maint] Bug#595750: nodm: allows all local users (and not just NODM_USER) to connect to (and eavesdrop, screenshot, etc.) the X server

Timo Juhani Lindfors timo.lindfors at iki.fi
Mon Sep 6 12:23:05 UTC 2010


Package: nodm
Version: 0.7-1
Severity: important
Tags: security

Steps to reproduce:
1) sudo apt-get install nodm
2) Configure /etc/default/nodm to something like

$ cat /etc/default/nodm
# nodm configuration

# Set NODM_ENABLED to something different than 'false' to enable nodm
NODM_ENABLED=true

# User to autologin for
NODM_USER=lindi

# xinit program
NODM_XINIT=/usr/bin/xinit

# First vt to try when looking for free VTs
NODM_FIRST_VT=7

# X session
NODM_XSESSION=/etc/X11/Xsession

# Options for the X server
NODM_X_OPTIONS='vt7 -nolisten tcp'

# If an X session will run for less than this time in seconds, nodm will wait an
# increasing bit of time before restarting the session.
NODM_MIN_SESSION_TIME=60

3) sudo /etc/init.d/nodm start
4) xclock
5) sudo -u nobody sh -c 'xclock'

Expected results:
4) "lindi"'s xclock can connect to the X server since he is logged in.
5) "nobody"'s xclock can _not_ connect to the X server

Actual results:
4) "lindi"'s xclock can connect to the X server since he is logged in.
5) "nobody"'s xclock can connect to the X server

More info:
1) "ps f -eo user,cmd" shows that the -auth option is not passed to X:

root     /usr/sbin/nodm
root      \_ /usr/bin/xinit /usr/sbin/nodm -- vt8 vt7 -nolisten tcp
root          \_ X :0 vt8 vt7 -nolisten tcp
lindi         \_ /usr/sbin/nodm
lindi             \_ /bin/sh -l -c /etc/X11/Xsession
lindi                 \_ icewm

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: armel (armv4tl)

Kernel: Linux 2.6.29-GTA02_lindi2-andy-tracking-mokodev
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages nodm depends on:
ii  debconf [debconf-2.0]         1.5.35     Debian configuration management sy
ii  libc6                         2.11.2-5   Embedded GNU C Library: Shared lib
ii  libpam0g                      1.1.1-4    Pluggable Authentication Modules l
ii  x11-common                    1:7.5+6    X Window System (X.Org) infrastruc
ii  x11-xserver-utils             7.5+2      X server utilities
ii  xinit                         1.2.0-2    X server initialisation tool

nodm recommends no packages.

nodm suggests no packages.

-- debconf information:
  nodm/xinit: /usr/bin/xinit
  nodm/min_session_time: 60
  nodm/enabled: false
  nodm/xsession: /etc/X11/Xsession
  nodm/x_options: vt7 -nolisten tcp
  nodm/first_vt: 7
  nodm/user: root





More information about the pkg-fso-maint mailing list