lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120507084051.GB2675@sivokote.iziade.m$>
Date: Mon, 7 May 2012 11:40:51 +0300
From: Georgi Guninski <guninski@...inski.com>
To: Marc Deslauriers <marc.deslauriers@...onical.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Ubuntu, Linux Mint, and the Guest Account

On Sat, May 05, 2012 at 07:52:25PM -0400, Marc Deslauriers wrote:
> On Sat, 2012-05-05 at 19:42 -0400, Jeffrey Walton wrote:
> > I know there's not much new here, but I am amazed that Ubuntu, Linux
> > Mint and friends ship with a Guest account present and enabled.
> > 
> > The Guest account is surreptitiously added through a lightdm
> > configuration file, and is not part of the standard user database.
> > Because its not part of the standard user database, it can't be
> > disabled through /etc/shadow, nor disable it through familiar tools
> > such as userdel and usermod. Additionally, the damn account does not
> > show up in distribution provided tools such as User Accounts applet.
> > 
> > To make matters worse, grepping for guest returns 0 results because
> > lightdm.conf does not mention one must add the following to disable
> > the guest account (nothing is required to enable the account):
> > 
> >     allow-guest=false
> > 
> > To add insult to injury, the Guest account is not sandboxed and user
> > home directories lack sufficient ACLs, so the guest account is able to
> > wander through user's home directories:
> 
> The guest account should be confined with an AppArmor profile on Ubuntu,
> which prevents it from accessing other users' directories. Please file a
> bug if this isn't working correctly for you.
> 
> Marc.
>


i doubt AppArmor stops all root exploits, though i don't care about
your nonsense much

-- 
Georgi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists