Guest sessions in 18.04 LTS - are they needed?

I really miss the guest account feature. I often find myself in settings, where people want to borrow my computer, but I can’t trust them access to my info otherwise, and it was very nifty to be able to just open a guest account and leave them with that.

Private browsing features does not meet this need, because they’ll still be free to wander all over my computer, private files etc. I think the feature should definitely come back.

I newer used guest session, it will be good to have it disabled by default.

I believe that is helpful. I can borrow my laptop to somebody else, and they would be unable to intentionally or inadvertently run destructive commands.

Perhaps have a script in the menu (after installation) under system settings called “Setup Guest Account”. This way the ability is there for those that want it, and for those that do not use it then its one less thing to remove/disable.

We use it exactly the same way. We will have to move to something with a guest account if the feature is dropped.

It looks like we can still get guest sessions in 18.04 by switching to the lightdm display ( login ) manager.

**EDIT: However, due to bug bug CVE-2017-8900 guest accounts are not restricted like there were in 16.04, the most practical difference is that some applications can read other users files ( or even write, it depends on your file permissions like any normal multiuser system ) . Most applications in Xubuntu 18.04 seem to be restricted but until that bug is resolved there are no guarantees. **

I started a wiki page with instructions that I will try to keep updated here:
http://wiki.groovix.org/index.php?title=Enable_Guest_Logins_in_Ubuntu_18.04_Bionic

In short, you just have to:

  1. sudo apt install lightdm ; # be sure to choose lightdm as the default greeter

  2. sudo gedit /usr/share/lightdm/lightdm.conf.d/50-disable-guest.conf ; #change it to: allow-guest=true , NOTE: bug CVE-2017-8900

  3. Reboot the computer

The security issue at bug #1663157 is not fixed. Please don’t mislead users to believe otherwise, as you currently do on that page.

I think that this message is a more fair description of the current status of the guest session feature.

When I run
cat /proc/self/attr/current
I get:
/usr/lib/lightdm/lightdm-guest-session (enforce)

so I thought it was fixed, what is the proper way to tell when it has been fixed?

On which Ubuntu version do you get that?

I get “unconfined” on 18.04, but the desired output on 16.04. I’m not an expert on AppArmor, and don’t know about a better way, but everyone - except you :wink: - seem to acknowledge bug #1742912 as something which remains to be fixed.

See also this Ask Ubuntu answer.

I see “(enforce)” on both Ubuntu 18.04 and Xubuntu 18.04:

However I can browse into /home/* directories with the file manager on Ubuntu so indeed it is not working. However In Xubuntu 18.04 the file manager does seem to be apparmor restricted. I’m not an expert on AppArmor so I don’t know what is going on, I’ll post to that bug report for clarification.

However even without AppArmor guest sessions can still be useful for a lot of cases. Does apparmor provide any practical benefit for a guest session besides preventing the guest from viewing other user’s files that are world readable ( preventable with chmod and umask ) ?

I understand you don’t want to give people a false sense of protection though. If AppArmor isn’t practical for guest sessions maybe another approach like a chroot or virtual machine could be implemented.

Interesting. Can’t explain why you get the confirmation. I thought the issue was a result of the switch to systemd for user login. Isn’t Xubuntu using systemd for user login in 18.04, btw? Would be good if we could figure out what’s going on.

I agree on that, and like you I’d like to get the word out.

However, Ubuntu’s guest session is known as a feature which allows you to enter a restricted guest session. That was true as long as the AppArmor profile worked as intended, but the guest session is currently not more restricted than any standard user (leaving your Xubuntu observations aside for now).

With that said, it’s a feature which allows you to enter a session as a temporary user, and everything is cleaned up when you log out. That’s indeed useful in many use cases, and many system owners can live with the absence of the extra security which AppArmor used to provide.

So I really don’t want to discourage you from informing about the guest session. My point is that it’s important to be correct with respect to the AppArmor protection.

Of course we need the guest accounts! We have a lot of by-passers in our office/workspace that can take any free computer, but now that idea will be off…
Hopefully i can hack the guest account in…

Yes, guest sessions are a must! I find it very useful when I let someone use my computer for my and their privacy and so that they don’t accidentally break anything.

Personally, I definitely won’t upgrade to 18.04 as long as it doesn’t have this feature.

We have a commercial product that uses guest sessions extensively. Users interact with the system and after logging in using the guest session a web-browser launches which lets them access the web interface to control our product.

A removal of the guest session feature will prevent us from upgrading to this LTS release

2 Likes

I find a guest session a necessity outside my home and a wonderful convenience in my home.
Outside my home, for example, I donated a computer to our Senior Center. The Seniors use guess session.
They can more safely do their online banking and other business as there is nothing left behind (account numbers, other personal data) when they log out.
In my home, it didn’t matter who came to visit, they could surf to their hearts content.
Yes, I wish wonderful Ubuntu 18.04 had Guest-session.

1st, Thank you!
I understand what has been discussed so far concerning guests accessing other user files.
I’ll certainly try this out on an old laptop at home.
Outside my home, I need guest accounts for systems I maintain (for free) and donate to seniors.
2nd, a question: “Does THIS guest account in your post protect the guest’s user’s data after logout”.
Is all the guest’s data gone or is any potentially exploitable residual left behind?
My users are non-IT savvy seniors (ages 65-101) using a donated laptop.
Thank you.

Notice: The guest-login install I am discussing is not a locked-down guest session/guest login.
Thanks everyone for the insight on Guest sessions and the challenges. I look forward to seeing what Team Ubuntu does in this arena.
Following guidelines above from user opensense, I have succeeded in installing an UNSECURED-guest-login.
I will now work to see how well I can lock it down. This is fun!
My initial Install notes (for this unsecure guest login):
I deviated and used the software install apps in Ubuntu instead us using “sudo apt install”.
Using “Ubuntu Software” app, it failed miserably (too many issues, but not a complete install, libs missing, etc.).
Using “Synaptic Package Manager” (downloaded from “Ubuntu Software”) I was able to successfully install (unsecured) guest login. The only thing I had to do (as provided by opensource) after installing was:
sudo gedit /usr/share/lightdm/lightdm.conf.d/50-disable-guest.conf ; #change it to: allow-guest=true
and Reboot my computer.
HUGE SECURITY FLAWS already addressed above in brief: My GUEST USER can get to all my directories, open all my files, including unzipping files. As anticipated, my guest user is NOT kept from my system files nor user files.
IT DOES APPEAR the guest user is relatively secure from me and anyone who follows afterwards IF he/she logs out when done. (IF anyone knows otherwise, I’d love to hear it). I cannot find data, websites visited, or any other residual left behind by the GUEST.
GUEST SESSION are needed in Ubuntu 18.04 for many of us. Thank you Team Community.Ubuntu.com for hosting this ‘question and answers’ and the ensuing discussions on it.
ADDED NOTE May 3, 2018: I am now able to keep the ‘guests’ out of my user’s file system by running the following on each user’s home directory:
sudo chmod -R o-rwx *
This removes access (rwx (Read, Write, eXecute) access) from guest to my user’s files/folders.
This does not (repeat, NOT!) remove access to system file I have not yet locked down.
(BTW, should we move this discussion to another area since we’ve moved to discussing HOWTOs or are we ok here?)

I also work in a school where we use the guest account extensively and daily. Today we started building our new 18.04 build (only use LTS), and saw that guest account was gone. Will probably move away from ubuntu or stick with 16.04 until it dies. We use it for, guests to the school, and stand alone computers that we want to have a particular function but don’t want to manage a different set of users for. We use gsuite for our user management on chromeOS for the most part.

I’ve my laptop near the sofa, and guest sometimes have used it
I think it is a good business card for showing Ubuntu
ciao
v

1 Like

I REALLY MISS THE FEATURE in 18.04!!!
Hundreds of students in my school using the computer laboratory equipped with Lubuntu 16.04.
Guest sessions ensure a secure, reliable enviroment for every one of them.
So I can’t currently upgrade to Lubuntu 18.04.
Has anyone suggestions, how to solve the problem without loosing security?
Thanks for feedback!

1 Like