Ubuntu – How is the guest account prevented from using su and sudo

apparmorguest-sessionSecuritysusudo

It's already known that the guest account can't use su or sudo:

How is this done?

My guess would be apparmor. However, there's no mention of either in /etc/apparmor.d/lightdm-guest-session (or other files included in it).

Is it done by denying some capability?

$ grep cap /etc/apparmor.d/abstractions/lightdm
  capability ipc_lock,
  deny capability dac_override,
  deny capability dac_read_search,

dac_override seems to be a good candidate. According to man capabilities:

CAP_DAC_OVERRIDE
      Bypass file read, write, and execute permission checks.  (DAC is
      an abbreviation of "discretionary access control".)

CAP_DAC_READ_SEARCH
      * Bypass  file  read  permission  checks  and directory read and
        execute permission checks;
      * Invoke open_by_handle_at(2).

Is this it, or is it some other capability? Or is it not apparmor at all?


Apparently, it's the setgid capability. From syslog for a su attempt:

Mar 18 12:14:52 muru-wily kernel: [ 5285.025017] audit: type=1400 audit(1458283492.316:159): apparmor="DENIED" operation="capable" profile="/usr/lib/lightdm/lightdm-guest-session" pid=25687 comm="su" capability=6  capname="setgid"

However:

$ sudo grep setgid /etc/apparmor* -R
/etc/apparmor.d/disable/usr.sbin.rsyslogd:  capability setgid,
/etc/apparmor.d/usr.sbin.tcpdump:  capability setgid,
/etc/apparmor.d/cache/.features:caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
/etc/apparmor.d/usr.sbin.cupsd:  capability setgid,
/etc/apparmor.d/usr.sbin.cupsd:  capability setgid,
/etc/apparmor.d/usr.sbin.rsyslogd:  capability setgid,
/etc/apparmor.d/abstractions/lightdm_chromium-browser:    capability setgid,     # for sandbox to drop privileges
/etc/apparmor.d/abstractions/dovecot-common:  capability setgid,
/etc/apparmor.d/abstractions/postfix-common:  capability            setgid,

Aside from the .cache folder, nothing seems to be restricting setgid. However, man apparmor.d says:

Capabilities
   The only capabilities a confined process may use may be enumerated;

If I understand correctly, then if any capabilities are listed, then only those can be used – all others are restricted. Does the capability ipc_lock line automatically restrict all other unmentioned capabilities? If so, why deny capability dac_override and deny capability dac_read_search?

Best Answer

  • From doing a quick search, I think the answer is that Ubuntu does not actually have a guest account, it uses a "guest session". Guest sessions cannot make any real changes to a system, so if you log on and try to save a file to the sessions home directory, when you log out, those files are removed.

    You can almost think of a guest session as a live USB/CD session.

    Most of my searches on guest session only give me options to remove it, I did find one that talked about creating a guest user, and that is different from the guest session.

  • Related Question