Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Ubuntu, Linux Mint, and the Guest Account
From: Georgi Guninski <guninski () guninski com>
Date: Mon, 7 May 2012 11:40:51 +0300

On Sat, May 05, 2012 at 07:52:25PM -0400, Marc Deslauriers wrote:
On Sat, 2012-05-05 at 19:42 -0400, Jeffrey Walton wrote:
I know there's not much new here, but I am amazed that Ubuntu, Linux
Mint and friends ship with a Guest account present and enabled.

The Guest account is surreptitiously added through a lightdm
configuration file, and is not part of the standard user database.
Because its not part of the standard user database, it can't be
disabled through /etc/shadow, nor disable it through familiar tools
such as userdel and usermod. Additionally, the damn account does not
show up in distribution provided tools such as User Accounts applet.

To make matters worse, grepping for guest returns 0 results because
lightdm.conf does not mention one must add the following to disable
the guest account (nothing is required to enable the account):

    allow-guest=false

To add insult to injury, the Guest account is not sandboxed and user
home directories lack sufficient ACLs, so the guest account is able to
wander through user's home directories:

The guest account should be confined with an AppArmor profile on Ubuntu,
which prevents it from accessing other users' directories. Please file a
bug if this isn't working correctly for you.

Marc.



i doubt AppArmor stops all root exploits, though i don't care about
your nonsense much

-- 
Georgi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]