lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAH8yC8ki4LJoNDE80CN_h-7our6FD4jKo_vy6hA+gVYdX+rMUg@mail.gmail.com>
Date: Sat, 26 Jan 2013 14:44:55 -0500
From: Jeffrey Walton <noloader@...il.com>
To: FunSec List <funsec@...uxbox.org>, 
	Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	BugTraq <bugtraq@...urityfocus.com>
Cc: secure@...ntu.com, security@...ntu.com
Subject: Re: Ubuntu, Linux Mint, and the Guest Account

It appears the Guest account is still allowed to wander around a
'stock' install of Ubuntu. Below are some examples of information
leakage due to the account.

Surely I'm not the only person who thinks its a bad idea to allow
LightDM (a desktop manager) be a user manager or security manager.

And I can't be the only fellow who thinks its a bad idea that the
account is created in a non-standard way. For example, the account is
not in the standard /etc/passwd or /etc/shadow database; and it cannot
be disabled or removed with `usermod` or `userdel`.

Finally, I can't be the only person who thinks adding the account
surreptitiously is a bad idea. For example, grep'ing 'Guest' returns 0
hits because the lightdm config file lacks a comment on the guest
account (and its enabled by default).

Below is from a fresh Ubuntu Server install:
guest-XuxS7j@...lity:/$ uname -a
Linux utility.home.pvt 3.2.0-36-generic-pae #57-Ubuntu SMP Tue Jan 8
22:01:06 UTC 2013 i686 i686 i386 GNU/Linux
guest-XuxS7j@...lity:/$ whoami
guest-XuxS7j

Information leak follows:
guest-XuxS7j@...lity:/$ cd /home/jeffrey
guest-XuxS7j@...lity:/home/jeffrey$ pwd
/home/jeffrey
guest-XuxS7j@...lity:/home/jeffrey$ cd Documents
guest-XuxS7j@...lity:/home/jeffrey/Documents$

Information leak follows:
guest-XuxS7j@...lity:/home/jeffrey/Documents$ $ cat foo-bar.txt
cat: foo-bar.txt: No such file or directory
guest-XuxS7j@...lity:/home/jeffrey/Documents$ cat Financial-Results-2012.txt
cat: Financial-Results-2012.txt: Permission denied

Root looks clamped:
guest-XuxS7j@...lity:/home/jeffrey/Documents$$ cd /root/
bash: cd: /root/: Permission denied

Perhaps Ubuntu should offer an option to *not* enable the Guest
account at install? Perhaps Ubuntu should encrypt all home directories
by default since the Guest account is allowed to wander the file
system?

And fix the path hack
(https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/868363).
There's no reason this program should be on path. Was this program
acceptance tested? The alternative - removing lightdm - creates an
installation that won't boot properly.

On Sat, May 5, 2012 at 7:42 PM, Jeffrey Walton <noloader@...il.com> wrote:
> I know there's not much new here, but I am amazed that Ubuntu, Linux
> Mint and friends ship with a Guest account present and enabled.
>
> The Guest account is surreptitiously added through a lightdm
> configuration file, and is not part of the standard user database.
> Because its not part of the standard user database, it can't be
> disabled through /etc/shadow, nor disable it through familiar tools
> such as userdel and usermod. Additionally, the damn account does not
> show up in distribution provided tools such as User Accounts applet.
>
> To make matters worse, grepping for guest returns 0 results because
> lightdm.conf does not mention one must add the following to disable
> the guest account (nothing is required to enable the account):
>
>     allow-guest=false
>
> To add insult to injury, the Guest account is not sandboxed and user
> home directories lack sufficient ACLs, so the guest account is able to
> wander through user's home directories:
>
> guest-dojMxl@...mint-12-x64 ~ $ pwd
> /tmp/guest-dojMxl
> guest-dojMxl@...mint-12-x64 ~ $ whoami
> guest-dojMxl
> guest-dojMxl@...mint-12-x64 /home/jwalton $ cd /home/
> guest-dojMxl@...mint-12-x64 /home $ ls -al
> total 12
> drwxr-xr-x  3 root    root    4096 2012-05-05 16:29 .
> drwxr-xr-x 23 root    root    4096 2012-05-05 16:32 ..
> drwxr-xr-x  5 jwalton jwalton 4096 2012-05-05 16:35 jwalton
> guest-dojMxl@...mint-12-x64 ~ $ cd /home/jwalton/
> guest-dojMxl@...mint-12-x64 /home/jwalton $ ls -al
> total 28
> drwxr-xr-x 5 jwalton jwalton 4096 2012-05-05 16:35 .
> drwxr-xr-x 3 root    root    4096 2012-05-05 16:29 ..
> -rw-r--r-- 1 jwalton jwalton  220 2012-05-05 16:29 .bash_logout
> drwx------ 3 jwalton jwalton 4096 2012-05-05 16:35 .cache
> drwxr-xr-x 3 jwalton jwalton 4096 2012-05-05 16:29 .config
> drwxr-xr-x 4 jwalton jwalton 4096 2012-05-05 16:29 .mozilla
> -rw-r--r-- 1 jwalton jwalton  675 2012-05-05 16:29 .profile
> ...
>
>  Is there any reason a KIOSK-like account is enabled by default? Do
> KIOSKs really dominate the desktop market to warrant the account out
> of the box?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ