[SECURITY] nodm runs X server without -auth by default, allowing any user to connect

[CyberShadow]

Hi, I realize this project is no longer maintained, I'm filing this mostly out of due diligence and for future readers.

I accidentally noticed that any local user can connect to DISPLAY=:0, even without access to the .Xauthority file, or XAUTHORITY environment variable, or any additional xauth / xhost configuration permitting them. In the end (with help from susi on #archlinux) this was narrowed down to nodm running Xorg without -auth.

I configured nodm according to its suggested configuration, i.e. NODM_X_OPTIONS='vt7 -nolisten tcp'.

startx does configure an auth file and place it the server's command line using -auth, so this problem does not occur when launching the X server via getty -> startx.

[ryao]

You could pass -auth via NODM_X_OPTIONS, but for the purpose of running a kiosk, this is probably not a problem.