FS#11431 - use user "gdm" instead of "nobody" for gdm

Attached to Project: Arch Linux
Opened by Björn Martensen (baze) - Tuesday, 09 September 2008, 20:09 GMT
Last edited by Jan de Groot (JGC) - Saturday, 11 October 2008, 23:24 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity High
Priority Normal
Reported Version None
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

i just talked a bit to the a gdm dev and when i said that arch uses the user "nobody" for gdm, he said that this was a very bad idea since anything running as "nobody" would be able to sniff everybody's passwords! he said the docs even say not to do that.
why is this done this way in arch when this is such a security issue? as it's not the default setting but arch uses a custom configuration for gdm.

this also prevents running gdm 2.23.x which needs the user "gdm" btw.
This task depends upon

Closed by  Jan de Groot (JGC)
Saturday, 11 October 2008, 23:24 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in 2.20.8.
Comment by Jan de Groot (JGC) - Tuesday, 09 September 2008, 21:44 GMT
This nobody user has been used since the beginning, which is the reason why it's in our package. The reason why gdm 2.23 doesn't work without a nobody user is that the "gdm" user is hardcoded in the source.
I don't think we will ship gdm 2.22 or 2.24 anyways, as I can't get it working at all and there's too many regressions reported, but the next 2.20.x update of gdm will have a gdm user.

Loading...