Brain dump on guest session progress

I have been working on guest account support in GDM but due to the difficulty of this this work has been shelved for now to focus on other tasks (mostly GNOME Software).

The solution I was working towards was to manage account creation in AccountsService (the previous support in LightDM had the LightDM daemon doing this). This makes the accounts easier to identify as guest accounts and means the guest account can be enable / disabled by storing a flag in AccountsService (this previously required a config file in LightDM).

We still have the issue that the display manager failing to clean up guest accounts correctly leaves them lying around. They are easier to identify once AccountsService is involved as they are flagged as guest accounts. It was discussed previously that systemd could be used for temporary accounts, but this seemed to me to be more difficult than using AccountsService.

What work exists today:

  • A patch to AccountsService in the wip/rancell/guest-accounts branch (git.freedesktop.org). This adds new D-Bus methods CreateGuest and DeleteGuest. This patch works.
  • A patch to GDM in the wip/rancell/guest branch. This allows a GDM greeter to log into a guest account by adding the D-Bus API for the greeter and passing it through the GDM layers to the core. I haven’t been able to get this branch to work, and I think part of the issue may be the Polkit checks in AccountsService don’t let GDM create the accounts (even though it is root).
  • A patch to GNOME Shell that shows a guest option on the greeter. This is a bit hacky and would need some cleaning up / restructuring to be suitable upstream.

The main difficulties I have encountered are:

  • The many layers of GDM make it very hard to work out the appropriate way to pass through the requests.
  • GNOME Shell uses the GDM interface which is very complex and not well abstracted. This means there are a number of places when it needs to be modified to interact with the guest support.
  • GNOME Shell is very tied to the AccountsService objects for showing users. My patch hacked up a compatible JS object but Shell should probably support both “real” users and virtual ones.
9 Likes

That’s a sad message, @robert.ancell, even if I of course respect the decision to push the guest session into the background when prioritizing. Many thanks for the efforts you made.

But LightDM is still available and used by most (all?) flavors, and the guest session can be used. I just confirmed that it can be used also on an updated standard Ubuntu bionic after having switched to LightDM. So those who want to use the guest session feature can still do so.

Then there is the big but: On post 16.04 versions the guest session is not confined by AppArmor, so the original security model is broken. For some use cases this is something you can live with, while it’s currently considered impossible in other cases to use the guest session feature on higher versions than 16.04.

Balint Reczey has filed a bug report with a request to adapt the AppArmor profile to systemd. Not anybody can fix that bug. I suppose it needs someone with deep knowledge of the system.

So, now when we maybe won’t see a guest session feature in GDM for the foreseeable future, is there possibly a chance that some developer can be assigned the task to fix the AppArmor profile for LightDM?

4 Likes

We don’t have the required experience in the desktop team to fix the AppArmor issues but I do believe there was someone in the foundations team who was going to look into it for the GDM support. I think it was low on their priority list though.

1 Like

I’m sorry to hear about this TBH. I work for a NPF in London and we used to use Ubuntu for our pool computers and laptops for educational uses; wiki editathons, online courses, projects, volunteers, etc.
It was easy to set up and cheap to install on donated netbooks and laptops, etc. And would connect to our wifi securely without users having to enter a long password each time.
We’ll probably have to look at another operating system to cover for these projects, as most of the course runners and staff aren’t tech savvy and rely on our small inhouse IT team (me) for ideas on the best way to run these courses.
I hope a guest access of some sort in the future, but for the time being, we’ll move back over to Windows 7 as it still has a workable guest session.

Yes, I would be quite sad to see Guest account fade into the background … Every public kiosk I ran into in NZ had Ubuntu with Guest session enabled. I use it in all of my class rooms - 120 desktops.

I understand removing it from server - keep it as part of the desktop please - even if its one of the derivatives … like Lubuntu.

“If you want Guest on the Desktop use Lubuntu” — I could live with this option…

dp

1 Like

@sidrodrigues: Can’t help suspecting that there is a misunderstanding here (which may well be the result of insufficient information).

Ubuntu’s guest session feature is still working as specified in Ubuntu 16.04, which is still available for download and will be supported until 2021.

The current issues with the guest session is present only at later Ubuntu versions. Hence it’s unclear to me how it would be better for you to replace Ubuntu with Windows 7, which is an old OS (from 2009) and whose support will end in 1.5 years.

4 Likes

We have student accounts set up in our classrooms (3 classrooms, ~50 machines) where we use guest logins with Ubuntu 16.04. Further, we set up model accounts where we can customize the student experience when they login so as to streamline their path to the programs and resources they use in our labs. The best feature of this is that when the students logout their persistent settings are wiped so the next student doesn’t have ready access to their online resources. I certainly understand that this is a limited application but given the wide deployment of machines in public spaces this is a useful feature. Possibly it could be added at some later date in the form of a sysadmin add on?

4 Likes

Like @pbeeken I have clients who provide computer access to a many of their customers, which includes an owner of a major hostel in a metropolitan area. This hostel owner has hundreds of customers and their guest who pass through the lobby and has access to the public computers.

I consider it a serious security issue to the none suspecting people who may have their browser history, and other personal data inadvertently exposed to the next person. I also consider it a possible problem for malicious people who may intentionally leave something on the computer that could be a threat to other people who may access the computer after them.

This concern and exploit should be obvious. Up until recently, Ubuntu had the safest resolution against these issues.

I really hope this flaw is recognized and fixed soon.

The Guest account should be in a jail/shell that protects the computer and customer’s local network, and the session and all data should be wiped clean when the user logs out… just like the behavior of the guess account have always been.

– L. James

–
L. D. James
ljames@apollo3.com
www.apollo3.com/~ljames

1 Like

I would like to echo the remarks @ljames and @pbeeken and others have made – I help maintain a set of public computers available to the clients of a local housing shelter, and we absolutely depend on the guest session functionality in Ubuntu 16.04 LTS.

Clients use their email and social media accounts, check their bank accounts, compose resumes and other personal documents, and so forth. They need confidence that when they logout, everything is erased.

And we rely on the convenience of having all user settings restored to a default. Some clients like to reset the desktop background or change other effects, and the guest session allows us to quickly revert those simply by logging the user out when they’re done.

We will be keeping an eye on #1742912 in the high hopes of seeing it resolved before the new LTS release after 18.04!

Thank you very much for this great distribution – we really hope to continue to be able to use it for our clients!

Chris.

3 Likes

When setting up Kiosk type applications which have an option to let user get to desktop most people rely completely on the Guest Session. An account where the user cannot leave anything behind or access very much. The only work around is to have your kiosk application run with root privs, dynamically adding a restricted user account then deleting said account on return.

Rather than trying to hack GDM and everything else, why not create a service?

Said service would dynamically create a non-prived account which automatically logs in without password.

After new account has been idle for a settable amount of time (or logs out) service nukes the account and returns to caller of service.

Ideally service would create this non-prived account on a RAM disk so they would just have to remove the RAM disk with the user.

To me this sounds far simpler than gutting everything.

If a physical guest account must exist for some reason, it’s .profile can run the service for the dynamic.

Ping?

It’s been silent here. Has there been any progress in the last year? I see LightDM’s LP #742912 also hasn’t updated in a year. (I personally would prefer a GDM solution, but can’t find the bug report.)

This is an important bug since many organizations, particularly non-profits and volunteers that support vulnerable populations (elderly, poor, homeless, abused, disabled) rely on Guest Sessions to provide computer access. They are asking for a distribution which has Guest Sessions enabled by default. Is the best answer we can give still “Use Ubuntu 16.04”?

What needs to happen to make sure that Ubuntu 20.04 has this fixed?

5 Likes

Just for reference, the original GDM feature request has since been re-reported on the GNOME projects’ Gitlab.

1 Like

there is a bug about confinement https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912