After a recent package update, the guest session feature is no longer available on Ubuntu 16.10 and 17.04. What happened?
Asked
Active
Viewed 6,320 times
21
-
if that applies like that to 18.04 can we add tags to that version please. – TiloBunt Jun 18 '18 at 20:41
-
@TiloBunt: Thanks for pointing it out. It does apply to all versions later than 16.04 which use LightDM, so I dropped the version tags instead and changed the title. Default display manager for standard Ubuntu as from 17.10 is GDM, which does not carry a guest session feature at all. – Gunnar Hjalmarsson Jun 18 '18 at 21:11
-
Related: [How to enable guest sessions on Ubuntu 18.04 or later?](https://askubuntu.com/questions/1112349/how-to-enable-guest-sessions-on-ubuntu-18-04-or-later) – Eliah Kagan Aug 27 '19 at 17:11
1 Answers
17
The guest session was intentionally disabled by default due to a security issue, where the guest session was not contained by the AppArmor profile that usually limits guest sessions. This AppArmor profile, among other things, prevents a guest user from using su to switch to other users, or viewing other users' home directories.
You can enable it, if you consider the issue to be manageable on your system, as explained in comment #24 of the bug report or by using this one liner:
sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" >/etc/lightdm/lightdm.conf.d/40-enable-guest.conf'
To reverse it back to the disabled state, simply do:
sudo rm /etc/lightdm/lightdm.conf.d/40-enable-guest.conf
Gunnar Hjalmarsson
- 32,938
- 3
- 63
- 94
-
-
-
@GunnarHjalmarsson A systemd thing? So, everything since 15.04? Or is it due to the switch from upstart to systemd for user session inits? – muru May 15 '17 at 15:53
-
1
-
-
-
@muru: Thanks for the edit, but I removed the `su` part since it reasonably not applies (guests are not included in `/etc/sudoers`). – Gunnar Hjalmarsson May 15 '17 at 16:19
-
2@GunnarHjalmarsson It's not a big deal, but a) `su` doesn't use `sudoers`, and b) AppArmor apparently prevents `su` and `sudo` from functioning properly for guests (so `sudoers` doesn't even enter the picture). A user would need to know a valid user's password, but on an otherwise locked down system without access to TTYs, it does open a hole. – muru May 15 '17 at 16:24
-
@muru: Hmm.. I thought that `su` couldn't be used without `sudo`, but apparently it can. I retract (just edited back). Thanks for the lesson! – Gunnar Hjalmarsson May 15 '17 at 16:36
-
But is there a problem, if other user's home directory is encrypted? What could guest user do by `su`? – jarno Jan 12 '19 at 08:27
-
-
One problem is that the home directory that uses ecryptfs does not encrypt again even on logout, see [LP: 1734541](https://bugs.launchpad.net/ubuntu/+source/gnome-session/+bug/1734541). Anyway, it seems that Xubuntu 18.04 does not suffer from the guest session security issue; see [the continuation bug report](https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912) – jarno Dec 04 '19 at 23:34
-
-
@OlliverK: To use `su`: yes, to view your home directory: no. – Gunnar Hjalmarsson Jun 24 '20 at 13:11
-
1@GunnarHjalmarsson I don't really keep anything on my internal hard drive, so I'm not worried about that. Thanks for the information. – Olliver K Jun 24 '20 at 21:49
-
@muru can you explain how does it open a hole? Do you mean someone can try to log in to your system via network by using guest session or what? – jarno Apr 22 '21 at 22:40
-
@jarno I mean if there's a set up where your average user is only intended to use the guest session (e.g., a kiost at a mall or a library or something), then allowing them to be able to `su` to another user would be a security hole. – muru Apr 23 '21 at 01:09
-
@muru oh, I have to try it. Though currently I am unable to exit my guest session due to some bug kinds of which have been around for several years :( – jarno Apr 23 '21 at 10:52