Full Disclosure mailing list archives
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 5 May 2012 19:42:00 -0400
I know there's not much new here, but I am amazed that Ubuntu, Linux Mint and friends ship with a Guest account present and enabled. The Guest account is surreptitiously added through a lightdm configuration file, and is not part of the standard user database. Because its not part of the standard user database, it can't be disabled through /etc/shadow, nor disable it through familiar tools such as userdel and usermod. Additionally, the damn account does not show up in distribution provided tools such as User Accounts applet. To make matters worse, grepping for guest returns 0 results because lightdm.conf does not mention one must add the following to disable the guest account (nothing is required to enable the account): allow-guest=false To add insult to injury, the Guest account is not sandboxed and user home directories lack sufficient ACLs, so the guest account is able to wander through user's home directories:
Read More...
http://seclists.org/fulldisclosure/2012/May/45
What!!?? Something good to know!...
Don
No comments:
Post a Comment