Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is a Guest Account in Ubuntu a security vulnerability?


  • Please log in to reply
7 replies to this topic

#1 BlueGalaxy

BlueGalaxy

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 15 March 2017 - 09:53 PM

Hello, again. When I turn on the Ubuntu Linux operating system, I have two choices, either my normal account or a "guest account". While I am required to use a password to open my main account, no password is required for the guest account. Is that a security vulnerability? Can any cracker break into my computer using the guest account and sabotage the operating system? Should I put a password to the guest account or delete it entirely, and if so how can I do these tasks? When I log into the guest account, a message pops up which says something like, "All files created in this session will not be stored. Please save any files to an external storage device." The guest account also looks just like a fresh install of Ubuntu, with the default wallpaper, and without any extra apps like AdBlocker. I wonder, is it possible to use the guest account to infiltrate the normal account and take control of the computer?



BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,410 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:08 AM

Posted 15 March 2017 - 10:04 PM

Hi

 

Hope this answers some of your questions https://wiki.ubuntu.com/BasicSecurity



#3 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:08 AM

Posted 16 March 2017 - 04:50 AM

Hi

 

Hope this answers some of your questions https://wiki.ubuntu.com/BasicSecurity

 

Nick, great article there! :thumbup2:

 

I've been running & pushing Better Privacy for years, one of the add-ons mentioned to install on Firefox. Linux users benefits from many of these add-ons also. Example the Better Privacy one, purges 'LSO' cookies from the Flash folder, that would otherwise remain there for years, no matter how many times 'cleaners' are ran. These cookies, if not removed, can still be used to feed us unwanted ads, which are fighting for the same bandwidth as the content we want to see & should be purged with this invaluable add-on. :)

 

Another thing that improves security is not to turn off the locked screensaver, if one chooses to do so, then when the computer is running & one's back is turned, our data is no more secure than on any other OS. Therefore it's important to keep that lock screen enabled, in fact, reduce the time before it kicks in when there's guests in the home. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#4 Rocky Bennett

Rocky Bennett

  • Members
  • 2,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico, USA
  • Local time:09:08 AM

Posted 16 March 2017 - 05:35 AM

One of the very first things I always do is to remove the guest account.

 

http://ubuntuhandbook.org/index.php/2016/04/remove-guest-session-ubuntu-16-04/


594965_zpsp5exvyzm.png


#5 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:08 AM

Posted 16 March 2017 - 06:07 AM

While it's a bit more complicated on Linux than Windows, for those with computers that has an onboard TPM (Trusted Platform Module) chip, often 1.2 spec, one can fully lock down all drives, including USB sticks with this technology. The main thing is not losing the key, just as with the /home partition encryption, only this is machine wise. :)

 

http://manpages.ubuntu.com/manpages/yakkety/man4/tpm.4freebsd.html

 

Here's an article that may display a popup page as an ad, though can be closed & a more in-depth discussion of TPM is there. 

 

http://resources.infosecinstitute.com/linux-tpm-encryption/

 

Without the key, no one, not even the owner, can boot the computer w/out the key, and there's various ways to use this other than the key, although this has to be generated for data safety, can be unlocked with another computer with a TPM. It can be used with a smart card, a SD card with the key on it (make sure to hide either of these), or best yet, a fingerprint reader, which is not new, many former business computers that's available today for $50 to 150 that originally sold for $2,00 or more 10 years ago has these. Sometimes in the case with notebooks, the fingerprint reader is in plain sight, although there are no two matching sets, making it near impossible for anyone other than the owner to gain access, unless there's a relative in the home who can come up with a plan to place one's finger there while asleep.

 

There's no better drive security in the World than hardware encryption, and this includes self-encrypted drives. Being that I don't have one of the latter, I don't know how SED drives works, maybe it requires a TPM to work, w/out having one, I can't make the call. Only that any hardware encryption knocks down software hands down. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#6 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 2,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:11:08 AM

Posted 16 March 2017 - 04:18 PM

The guest account is reasonably safe for a few reasons:

It doesnt remember files downloaded

It is akin to a temporary user account like that on a live image

It has zero access to sudo

So in general yeah its okay to use :D


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#7 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:08 AM

Posted 16 March 2017 - 06:45 PM

Only the main or 'sudo' user can give permissions to guests, and any of these should be very limited for the sake of security. :)

 

A guest account has zero permissions unless in possession of the sudo password, so keeping that a secret is the main thing. Back when I last worked, if our superiors found written on paper passwords on our desks (or in an unlocked desk drawer), that was cause for termination on the spot, no questions asked. That was a top priority, especially when we switched from Apple to Windows computers for the day to day operations of distribution centers.

 

So as long as the screen saver is set to lock when company comes over, or if another lives in the home, one can lock their screen as soon as getting out of the chair. 

 

The way I see it, a personal computer is just that, the personal property of a another, meaning that no one else has any business on these for any reason, and if I catch someone on one of mine, there's a high probability that their head will run into a baseball bat that's close by several times. Plus will be charged with whatever the legal term is for breakin (or each attempted breakin) of a digital device that's property of another (may be a Federal crime in the US). The OS has a way, I'm sure, of how many attempts one enters the wrong password to trespass & can be used as admissible evidence in a court of law. 

 

As for the baseball bat, an object cannot be charged with a crime, and we the people have a legal right to protect our property however we have to, that's in the US Constitution, somewhere along the lines of the right to bear firearms (if not a felon under serving an active sentence, on parole or probation). In some states, it may be interpreted as 'standing your ground'. 

 

That's another reason why I have webcams running while gone, and when motion is detected, these goes into a folder, in an unseen hard drive, and uploaded to Camera Roll folder on OneDrive, am considering investing into a couple of more that can capture high quality (1080p) snapshots at several angles to catch a thief in the act. Stealing as mush as a $5 Flash drive is a felony, if it contains personally identifying information (example, a copy of a tax return) on it, even if encrypted. I've had a couple of these stolen in the past, and both later paid the price when going back again. One stole a USB stick in plain sight that was loaded with infections from scanning many computers with Emsisoft Emergency Kit, where I carefully relabeled the quarantine folders as games, wow, did he pay the price. 

 

He (my brother-in-law) traded it to a store owner for a pack of cigarettes, and the man beat the living crap out of him. Then my mother-in-law got involved, and once the store owner told her why, and showed her the drive, she skew right then it was mine, as I had cleaned her computer with it & asked him where it came from. He admitted to stealing it from me & then got whacked in the head twice again by her. :lol:

 

The second, was also in the family, grabbed a similar setup, only posed to look like Dora games, and his daughter was calling her dad within a minute saying that 'something's wrong', and sure enough it was. Knowing better than to bring it to me, he paid close to $300 for reloading the OS, and lost a lot of pictures as a result of his actions. Fortunately, it didn't do anything when she at first plugged it into her iPad. He was the one I really wanted to catch, the other was a surprise, I knew that at least two prior USB sticks sprouted legs. A week or two later, while he knew I was at an appointment, brought my USB sticks to his mother (all three) & apologized. Needless to say, this caused hardship for a few months, however if it weren't for freeloading & having sticky fingers, all incidents could had been avoided. :)

 

Plus I would have to be looking at close to $200 in high definition wi-fi cameras to protect my PC room while gone.

 

My advice, do what's necessary to protect your property. and it doesn't hurt to test guests with a 'mouse trap' every now & then, as long as the computer(s) & drives are locked down, and no one (not even a spouse/partner) knows the password, one should be OK. As far as a computer for spouse/partner (or children/grandchildren) goes, a spare computer, or having their own, is best policy. 

 

This is why a personal computer (be it a notebook or tower computer) is called just that, it belongs to the one who paid for it, or has the proof of purchase, and if a OEM computer, registered with them for warranty/support purposes. That person is the legal owner of the computer until transferred, something that buyers needs to be sure of aware of when purchasing from 3rd parties & needs to get in writing, or better yet, obtain transfer as a condition of sale. No one else has any business touching it in any way, shape, or form, unless a search warrant is obtained for a valid reason. :)

 

So as long as precautions are taken, one should be easily able to ensure that no one else has access to their computer. Keep an old XP notebook for guests, rest assured, they likely won't ask again. :P

 

EDIT: Corrected Typo.

 

Cat


Edited by cat1092, 17 March 2017 - 04:20 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#8 Rocky Bennett

Rocky Bennett

  • Members
  • 2,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico, USA
  • Local time:09:08 AM

Posted 17 March 2017 - 11:32 AM

This might be relevant here;

 

http://thehackernews.com/2017/03/linux-kernel-vulnerability.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29&_m=3n.009a.1452.zn0ao0ax2l.v1o


594965_zpsp5exvyzm.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users