Package: nodm Version: 0.7-1 Severity: important Tags: security Steps to reproduce: 1) sudo apt-get install nodm 2) Configure /etc/default/nodm to something like
$ cat /etc/default/nodm # nodm configuration # Set NODM_ENABLED to something different than 'false' to enable nodm NODM_ENABLED=true # User to autologin for NODM_USER=lindi # xinit program NODM_XINIT=/usr/bin/xinit # First vt to try when looking for free VTs NODM_FIRST_VT=7 # X session NODM_XSESSION=/etc/X11/Xsession # Options for the X server NODM_X_OPTIONS='vt7 -nolisten tcp' # If an X session will run for less than this time in seconds, nodm will wait an # increasing bit of time before restarting the session. NODM_MIN_SESSION_TIME=60 3) sudo /etc/init.d/nodm start 4) xclock 5) sudo -u nobody sh -c 'xclock' Expected results: 4) "lindi"'s xclock can connect to the X server since he is logged in. 5) "nobody"'s xclock can _not_ connect to the X server Actual results: 4) "lindi"'s xclock can connect to the X server since he is logged in. 5) "nobody"'s xclock can connect to the X server More info: 1) "ps f -eo user,cmd" shows that the -auth option is not passed to X: root /usr/sbin/nodm root \_ /usr/bin/xinit /usr/sbin/nodm -- vt8 vt7 -nolisten tcp root \_ X :0 vt8 vt7 -nolisten tcp lindi \_ /usr/sbin/nodm lindi \_ /bin/sh -l -c /etc/X11/Xsession lindi \_ icewm -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: armel (armv4tl) Kernel: Linux 2.6.29-GTA02_lindi2-andy-tracking-mokodev Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages nodm depends on: ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy ii libc6 2.11.2-5 Embedded GNU C Library: Shared lib ii libpam0g 1.1.1-4 Pluggable Authentication Modules l ii x11-common 1:7.5+6 X Window System (X.Org) infrastruc ii x11-xserver-utils 7.5+2 X server utilities ii xinit 1.2.0-2 X server initialisation tool nodm recommends no packages. nodm suggests no packages. -- debconf information: nodm/xinit: /usr/bin/xinit nodm/min_session_time: 60 nodm/enabled: false nodm/xsession: /etc/X11/Xsession nodm/x_options: vt7 -nolisten tcp nodm/first_vt: 7 nodm/user: root -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org