#595750 nodm: allows all local users (and not just NODM_USER) to connect to (and eavesdrop, screenshot, etc.) the X server

Package:
nodm
Source:
nodm
Description:
automatic display manager
Submitter:
Timo Juhani Lindfors
Date:
2010-09-06 12:27:04 UTC
Severity:
important
#595750#5
Date:
2010-09-06 12:23:05 UTC
From:
To:
Steps to reproduce:
1) sudo apt-get install nodm
2) Configure /etc/default/nodm to something like

$ cat /etc/default/nodm
# nodm configuration

# Set NODM_ENABLED to something different than 'false' to enable nodm
NODM_ENABLED=true

# User to autologin for
NODM_USER=lindi

# xinit program
NODM_XINIT=/usr/bin/xinit

# First vt to try when looking for free VTs
NODM_FIRST_VT=7

# X session
NODM_XSESSION=/etc/X11/Xsession

# Options for the X server
NODM_X_OPTIONS='vt7 -nolisten tcp'

# If an X session will run for less than this time in seconds, nodm will wait an
# increasing bit of time before restarting the session.
NODM_MIN_SESSION_TIME=60

3) sudo /etc/init.d/nodm start
4) xclock
5) sudo -u nobody sh -c 'xclock'

Expected results:
4) "lindi"'s xclock can connect to the X server since he is logged in.
5) "nobody"'s xclock can _not_ connect to the X server

Actual results:
4) "lindi"'s xclock can connect to the X server since he is logged in.
5) "nobody"'s xclock can connect to the X server

More info:
1) "ps f -eo user,cmd" shows that the -auth option is not passed to X:

root     /usr/sbin/nodm
root      \_ /usr/bin/xinit /usr/sbin/nodm -- vt8 vt7 -nolisten tcp
root          \_ X :0 vt8 vt7 -nolisten tcp
lindi         \_ /usr/sbin/nodm
lindi             \_ /bin/sh -l -c /etc/X11/Xsession
lindi                 \_ icewm