[pkg-fso-maint] Bug#635992: nodm: -nolisten tcp is forcibly added to NODM_X_OPTIONS, against site policy

James Cameron quozl at laptop.org
Sat Jul 30 00:39:51 UTC 2011 

Package: nodm
Version: 0.10-1
Severity: normal
Tags: upstream

nodm now forces -nolisten tcp onto the X server command line if it was not
specified in NODM_X_OPTIONS.  The implementation is in dm.c:

    // Append -nolisten tcp if it wasn't in the command line
    if (!has_nolisten_tcp)
    {
        argv[argc++] = "-nolisten";
        argv[argc++] = "tcp";
    }

nodm is implementing a security policy without any obvious way to configure
nodm not to do so.

Impact: this has broken a private application configuration, and the
alternative of X over SSH is too costly due to increased latency, increased
processing power and loss of substantive audit capability on the private
network.

Workaround 1: rebuild nodm without these lines.

Workaround 2: replace /usr/bin/X with a script that strips the -nolisten tcp
arguments before calling the genuine /usr/bin/X.

/etc/init.d/nodm, /etc/default/nodm and /usr/share/doc/nodm/README all mention
"-nolisten tcp", perhaps they need not.  The README or manual page does not
mention the forced addition of "-nolisten tcp", perhaps they should.

(I was unable to identify the upstream location for nodm.  The Debian patch
does not provide a pointer.  I'm happy to take my bug report there if you can
tell me where.)



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.38-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages nodm depends on:
ii  debconf [debconf-2.0]         1.5.40     Debian configuration management sy
ii  libc6                         2.13-10    Embedded GNU C Library: Shared lib
ii  libpam0g                      1.1.3-2    Pluggable Authentication Modules l
ii  libx11-6                      2:1.4.3-2  X11 client-side library
ii  x11-common                    1:7.6+7    X Window System (X.Org) infrastruc
ii  x11-xserver-utils             7.6+3      X server utilities

nodm recommends no packages.

nodm suggests no packages.

-- Configuration Files:
/etc/init.d/nodm changed [not included]

-- debconf information excluded

More information about the pkg-fso-maint mailing list