Search My Blog

Monday, May 7, 2012

Ubuntu and Linux Mint, the Guest Account can't be disabled through /etc/shadow, nor disable it through familiar tools,such as userdel and usermod.

Full Disclosure mailing list archives

Ubuntu, Linux Mint, and the Guest Account
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 5 May 2012 19:42:00 -0400

I know there's not much new here, but I am amazed that Ubuntu, Linux  Mint and friends ship with a Guest account present and enabled.    The Guest account is surreptitiously added through a lightdm  configuration file, and is not part of the standard user database.  Because its not part of the standard user database, it can't be  disabled through /etc/shadow, nor disable it through familiar tools  such as userdel and usermod. Additionally, the damn account does not  show up in distribution provided tools such as User Accounts applet.    To make matters worse, grepping for guest returns 0 results because  lightdm.conf does not mention one must add the following to disable  the guest account (nothing is required to enable the account):        allow-guest=false    To add insult to injury, the Guest account is not sandboxed and user  home directories lack sufficient ACLs, so the guest account is able to  wander through user's home directories:

Read More...
http://seclists.org/fulldisclosure/2012/May/45

What!!?? Something good to know!...

Don



No comments: