guest account

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I was trying to setup a guest account for my box to be used by my friends when
they come at my home and they wanna use internet for a while.

I think that having a limited guest account on a Desktop box is anyway useful
and in the end more safe than letting other people use your account for a
while.
This obviously apply just to home environment.
IHMO the option to have a guest account could be added to firstboot too.

The desired behaviour is:

_ Login just in the Desktop Environment
_ No login on terminal or any remote access (ssh, samba, etc...)
_ No password required

The best solution i have been able to find has been:

Add the user:
# adduser -g users -d /home/guest -s /bin/bash -m guest

Delete the password (maybe not needed):
# passwd -d guest

Lock the account to prevent any access:
# passwd -l guest

Modify the file /etc/pam.d/gdm:
#%PAM-1.0
auth       required     pam_env.so
auth       sufficient   pam_listfile.so item=user sense=allow
file=/etc/X11/gdm/nopassusers onerr=fail
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

The file /etc/X11/gdm/nopassusers will be kept a list of users that doesnt need
to give a password to login on gdm, so we add guest to it:

# echo guest > /etc/X11/gdm/nopassusers

Improvements:
I'm not sure but maybe the best check order in /etc/pam.d/gdm could be:

#%PAM-1.0
auth       required     pam_env.so
auth       required     pam_nologin.so
auth       sufficient   pam_listfile.so item=user sense=allow
file=/etc/X11/gdm/nopassusers onerr=fail
auth       required     pam_stack.so service=system-auth
[...]

Since I'm not sure about it i leave that unchanged but i wait for comments
about it.

It can also help have an other X server running so you have not to logout from
your account (you have just to lock the screen), this can be done editing
/etc/X11/gdm/gdm.conf adding in the "[servers]" section the line:

1=Standard

(Note: you switch between servers using Ctrl-Alt-F7 and F8)

I was also trying to set the restricted bash (bash -r) for the guest account
but it obviously dont work since many X scripts are made to run on the full
bash.

Any other improvement is really welcome... in first place those related to
security.

-- 
Simon.



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux