Running X11 applications as root is intrinsically a security risk. The number of libraries and resources an X11 application has to load and keep in use is much higher than the those of a textual application. This exposes the root user's process to a greater possibility of a bug, caused by the graphical application, opening the door to a privilege escalation attack. X11 also makes it easy to read the display memory used by the root application, so that all unprivileged applications running on the same display are able to read the root user's screen. For this reason many modern Linux distributions limit or disallow access to the X display by applications run by the root user. Even if it is generally possible to work around or disable these restrictions, it's always good practice to limit root access to the X11 server to the minimum.

To avoid such security issues with the user root, NoMachine does not allow by users to login as root by default.

In the cases where a login screen or desktop environment is running as root user, despite the implications being discussed here, when NoMachine connects to the display of a given host, it must be able to distinguish whether its display is showing an active user session (desktop environment) or if a login screen is running (owned by root) and is therefore unattended. If no active desktop is running (i.e a login screen is present), NoMachine won't ask permission from any user to accept the connection. This is necessary so that connecting users have the possibility to get control of the display and enter their login credentials on machines running unattended. In this case, NoMachine connects to the display in order to give the user access to the login screen, and does this by acquiring the cookie to connect to the physical display, which NoMachine protects from unauthorized access.

As already mentioned, to be able to connect to the login screen NoMachine needs to distinguish between when the display is showing the login screen or when it is effectively running a user session. How is this done? There is no known trustworthy mechanism available in the Linux/Unix realm of tools which is able to carry out this check. ConsoleKit proved to be unreliable on multiple operating systems and versions. What NoMachine does in order to understand that the remote display is infact a login screen is to adopt a series of techniques, one of which for example is to verify if there is a window manager running.

Despite these checks, NoMachine could still misinterpret the login screen when it is effectively a user session of a root user . The result being that access is erroneously given to the user asking to connect without first requesting permission to the user who is actually sitting in front of the display in that moment.

For this reason, it is strongly advised that users don't run applications as root on the physical display.