lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 5 May 2012 19:42:00 -0400
From: Jeffrey Walton <noloader@...il.com>
To: FunSec List <funsec@...uxbox.org>,
  Full Disclosure <full-disclosure@...ts.grok.org.uk>,
  BugTraq <bugtraq@...urityfocus.com>
Subject: Ubuntu, Linux Mint, and the Guest Account

I know there's not much new here, but I am amazed that Ubuntu, Linux
Mint and friends ship with a Guest account present and enabled.

The Guest account is surreptitiously added through a lightdm
configuration file, and is not part of the standard user database.
Because its not part of the standard user database, it can't be
disabled through /etc/shadow, nor disable it through familiar tools
such as userdel and usermod. Additionally, the damn account does not
show up in distribution provided tools such as User Accounts applet.

To make matters worse, grepping for guest returns 0 results because
lightdm.conf does not mention one must add the following to disable
the guest account (nothing is required to enable the account):

    allow-guest=false

To add insult to injury, the Guest account is not sandboxed and user
home directories lack sufficient ACLs, so the guest account is able to
wander through user's home directories:

guest-dojMxl@...mint-12-x64 ~ $ pwd
/tmp/guest-dojMxl
guest-dojMxl@...mint-12-x64 ~ $ whoami
guest-dojMxl
guest-dojMxl@...mint-12-x64 /home/jwalton $ cd /home/
guest-dojMxl@...mint-12-x64 /home $ ls -al
total 12
drwxr-xr-x  3 root    root    4096 2012-05-05 16:29 .
drwxr-xr-x 23 root    root    4096 2012-05-05 16:32 ..
drwxr-xr-x  5 jwalton jwalton 4096 2012-05-05 16:35 jwalton
guest-dojMxl@...mint-12-x64 ~ $ cd /home/jwalton/
guest-dojMxl@...mint-12-x64 /home/jwalton $ ls -al
total 28
drwxr-xr-x 5 jwalton jwalton 4096 2012-05-05 16:35 .
drwxr-xr-x 3 root    root    4096 2012-05-05 16:29 ..
-rw-r--r-- 1 jwalton jwalton  220 2012-05-05 16:29 .bash_logout
drwx------ 3 jwalton jwalton 4096 2012-05-05 16:35 .cache
drwxr-xr-x 3 jwalton jwalton 4096 2012-05-05 16:29 .config
drwxr-xr-x 4 jwalton jwalton 4096 2012-05-05 16:29 .mozilla
-rw-r--r-- 1 jwalton jwalton  675 2012-05-05 16:29 .profile
...

 Is there any reason a KIOSK-like account is enabled by default? Do
KIOSKs really dominate the desktop market to warrant the account out
of the box?

Powered by blists - more mailing lists