Ubuntu
nodm package

postinst didn't ask for configuration → SECURITY ISSUE

Bug #2053215 reported by Col.Row
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nodm (Ubuntu)
New
Undecided
Unassigned

Bug Description

root@vmm--noble-mate:~# lsb_release -rd
No LSB modules are available.
Description: Ubuntu Noble Numbat (development branch)
Release: 24.04
root@vmm--noble-mate:~# apt-cache policy nodm
nodm:
  Installed: 0.13-6build1
  Candidate: 0.13-6build1
  Version table:
 *** 0.13-6build1 500
        500 http://ftp.stw-bonn.de/ubuntu noble/universe amd64 Packages
        100 /var/lib/dpkg/status
root@vmm--noble-mate:~#

also tested: Ubuntu Mate 22.04, Ubuntu 22.04, Ubuntu 20.04
Host: Ubuntu Mate 22.04 using virt-manager

BUG:
The script /var/lib/dpkg/info/nodm.postinst ask if nodm should be activated. After this question the script finished. Really? But as I understood it should also ask for a user to autologin. But this did not happen, therefore:

admin@vmm--noble-mate:~ $ grep USER /etc/default/nodm
NODM_USER=root #sic!
admin@vmm--noble-mate:~ $

After rebooting the entire graphical environment will be started for user root! OMG!

root@vmm--noble-mate:~# ps aux | grep -vE "^root"
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
systemd+ 467 0.0 0.3 21056 12544 ? Ss 04:31 0:00 /lib/systemd/systemd-resolved
systemd+ 486 0.0 0.1 90544 7424 ? Ssl 04:31 0:00 /lib/systemd/systemd-timesyncd
avahi 638 0.0 0.1 8508 4352 ? Ss 04:31 0:00 avahi-daemon: running [vmm--noble-mate.local]
message+ 641 0.0 0.1 10864 6400 ? Ss 04:31 0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
polkitd 675 0.0 0.2 310364 10096 ? Ssl 04:31 0:00 /usr/lib/polkit-1/polkitd --no-debug
avahi 727 0.0 0.0 8320 1420 ? S 04:31 0:00 avahi-daemon: chroot helper
syslog 750 0.0 0.1 222408 6144 ? Ssl 04:31 0:00 /usr/sbin/rsyslogd -n -iNONE
lp 886 0.0 0.1 16776 6400 ? S 04:31 0:00 /usr/lib/cups/notifier/dbus dbus://
lp 887 0.0 0.1 16776 6400 ? S 04:31 0:00 /usr/lib/cups/notifier/dbus dbus://
lp 890 0.0 0.1 16776 6528 ? S 04:31 0:00 /usr/lib/cups/notifier/dbus dbus://
cups-br+ 894 0.0 0.4 268168 19456 ? Ssl 04:31 0:00 /usr/sbin/cups-browsed
kernoops 905 0.0 0.0 12656 2460 ? Ss 04:31 0:00 /usr/sbin/kerneloops --test
kernoops 940 0.0 0.0 12656 2444 ? Ss 04:31 0:00 /usr/sbin/kerneloops
rtkit 1896 0.0 0.0 22864 3200 ? SNsl 04:31 0:00 /usr/libexec/rtkit-daemon
root@vmm--noble-mate:~#

I think this is not the expected behavior and of course not userfriendly.

Please remove package from noble repo until the package is fixed, because this is a very strange kind of security issue.

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The upstream repository highlights that it's not maintained and that lightdm's similar feature should probably be used instead: https://github.com/spanezz/nodm/

The postinst file uses a bunch of debconf information, including the user -- perhaps your debconf priorities were set too high to see the questions? try: sudo dpkg-reconfigure nodm

It seems to do what it advertises to do, so I don't see a reason to rush it out of the distribution.

Thanks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Public Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.