postinst didn't ask for configuration → SECURITY ISSUE
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nodm (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
root@vmm-
No LSB modules are available.
Description: Ubuntu Noble Numbat (development branch)
Release: 24.04
root@vmm-
nodm:
Installed: 0.13-6build1
Candidate: 0.13-6build1
Version table:
*** 0.13-6build1 500
500 http://
100 /var/lib/
root@vmm-
also tested: Ubuntu Mate 22.04, Ubuntu 22.04, Ubuntu 20.04
Host: Ubuntu Mate 22.04 using virt-manager
BUG:
The script /var/lib/
admin@vmm-
NODM_USER=root #sic!
admin@vmm-
After rebooting the entire graphical environment will be started for user root! OMG!
root@vmm-
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
systemd+ 467 0.0 0.3 21056 12544 ? Ss 04:31 0:00 /lib/systemd/
systemd+ 486 0.0 0.1 90544 7424 ? Ssl 04:31 0:00 /lib/systemd/
avahi 638 0.0 0.1 8508 4352 ? Ss 04:31 0:00 avahi-daemon: running [vmm--noble-
message+ 641 0.0 0.1 10864 6400 ? Ss 04:31 0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-
polkitd 675 0.0 0.2 310364 10096 ? Ssl 04:31 0:00 /usr/lib/
avahi 727 0.0 0.0 8320 1420 ? S 04:31 0:00 avahi-daemon: chroot helper
syslog 750 0.0 0.1 222408 6144 ? Ssl 04:31 0:00 /usr/sbin/rsyslogd -n -iNONE
lp 886 0.0 0.1 16776 6400 ? S 04:31 0:00 /usr/lib/
lp 887 0.0 0.1 16776 6400 ? S 04:31 0:00 /usr/lib/
lp 890 0.0 0.1 16776 6528 ? S 04:31 0:00 /usr/lib/
cups-br+ 894 0.0 0.4 268168 19456 ? Ssl 04:31 0:00 /usr/sbin/
kernoops 905 0.0 0.0 12656 2460 ? Ss 04:31 0:00 /usr/sbin/
kernoops 940 0.0 0.0 12656 2444 ? Ss 04:31 0:00 /usr/sbin/
rtkit 1896 0.0 0.0 22864 3200 ? SNsl 04:31 0:00 /usr/libexec/
root@vmm-
I think this is not the expected behavior and of course not userfriendly.
Please remove package from noble repo until the package is fixed, because this is a very strange kind of security issue.
information type: | Private Security → Public Security |
The upstream repository highlights that it's not maintained and that lightdm's similar feature should probably be used instead: https:/ /github. com/spanezz/ nodm/
The postinst file uses a bunch of debconf information, including the user -- perhaps your debconf priorities were set too high to see the questions? try: sudo dpkg-reconfigure nodm
It seems to do what it advertises to do, so I don't see a reason to rush it out of the distribution.
Thanks