LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 02-02-2008, 03:04 PM   #1
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Rep: Reputation: 39
securing guest account


I've created a user called guest on my Slackware home desktop with no password for friends and family to use when they are visting.

I've disabled su for that user and disallowed ssh to that user.

Anything else I could do to make it secure?
 
Old 02-02-2008, 05:36 PM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,119

Rep: Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818
Get rid of it; it's a security hole like you wouldn't believe or at least put a real password on it (not something like "password") and change it every so often.

If you don't want to do that, change the shell to restricted (make the change in /etc/password); if it's /bin/bash, change it to /bin/rbash (see the man page for bash about what restricted shell does).
 
Old 02-02-2008, 09:22 PM   #3
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Original Poster
Rep: Reputation: 39
Thanks, I'll look into rbash.

What's the main security risk for having a password less restricted account?
 
Old 02-02-2008, 11:35 PM   #4
shadowsnipes
Senior Member
 
Registered: Sep 2005
Distribution: Slackware
Posts: 1,442

Rep: Reputation: 70
Since it is a home computer you could setup the machine to just automatically login as a limited user after a preset amount of time of no login action. The user should still have a good password, though. I think you can do this with or without booting into runlevel 4, though I most commonly see it with a graphical login.
 
Old 02-03-2008, 09:00 AM   #5
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,119

Rep: Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818
Quote:
Originally Posted by mattydee View Post
What's the main security risk for having a password less restricted account?
Given that you're setting this up for friends and family, may we assume that the machine is either always or frequently connected to the internet via a high-speed interface? And, if so, have you scanned through /var/log/messages looking for "Failed password for" strings? Over time you will probably see any number of attempts to get into your machine with ssh to common account names that have been known to be "open" in the past (and, yeah, "guest" is one of 'em the bastards try).

Without a password, you've created a "honey pot;" a machine just sitting there waiting for somebody to walk right in, sit on down and see what damage they can cause.

Linux is relatively safe (particularly when compared to anything ever made or ever will be made by Microsoft) but it's a pretty good idea to follow good practice and never offer an open door to any intruder, kind of like locking up the house when you go to bed at night. If a friend of family doesn't like having to use a password, well, too darn bad -- cover your butt.
 
Old 02-03-2008, 09:53 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
I agree passwordless accounts aren't SOP. They should only be used where there's no state kept, like Kiosk mode devices. While it does make some meagre attempts at confinement Rbash really is crude and not for runlevel 5 confinements. And jail or chroot "solution" won't do because of dependencies and any hardening efforts that go beyond that will be invasive (SELinux or GRSecurity) and will cost you much in terms of time and effort to implement. How about making the guest account use a QEmu VM instead? With that you could have zero boot-up time since QEmu allows you to use a preconfigured "-vm" staved state.
 
Old 02-03-2008, 10:04 AM   #7
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,775

Rep: Reputation: 481Reputation: 481Reputation: 481Reputation: 481Reputation: 481
I use the wdm display manager which allows you to setup a default user and password. When used, this feature allows you to login to the default account just by hitting ENTER twice. The default user name and password which you set are used. I think this might offer a secure, yet easy way for your guests to login without trouble, while still allowing you to set a non-common user name and secure password for the account.

YOu can find sources, src2pkg script and notes here:
http://distro.ibiblio.org/pub/linux/.../wdm/wdm-1.28/
 
Old 02-03-2008, 02:05 PM   #8
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by tronayne View Post
Given that you're setting this up for friends and family, may we assume that the machine is either always or frequently connected to the internet via a high-speed interface? And, if so, have you scanned through /var/log/messages looking for "Failed password for" strings? Over time you will probably see any number of attempts to get into your machine with ssh to common account names that have been known to be "open" in the past (and, yeah, "guest" is one of 'em the bastards try).

Without a password, you've created a "honey pot;" a machine just sitting there waiting for somebody to walk right in, sit on down and see what damage they can cause.

Linux is relatively safe (particularly when compared to anything ever made or ever will be made by Microsoft) but it's a pretty good idea to follow good practice and never offer an open door to any intruder, kind of like locking up the house when you go to bed at night. If a friend of family doesn't like having to use a password, well, too darn bad -- cover your butt.
Right, but behind a home router, the ssh port is not available to the outside. (My wifi is wpa2 secured) But perhaps renaming the guest account to something unusual would be a good idea. Thanks
 
Old 02-03-2008, 02:11 PM   #9
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Original Poster
Rep: Reputation: 39
@unSpawn
That's a really interesting option. Although I'm not quite sure how this would work. Would it be possible to start this VM from the kdm login manager?

@gnashley
I think I will try this for now, but with kdm.

Thanks everyone for your input!
 
Old 02-03-2008, 05:32 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by mattydee View Post
That's a really interesting option. Although I'm not quite sure how this would work. Would it be possible to start this VM from the kdm login manager?
Sure can, just think adding another DE. Make Qemu commandline work (if you don't want to install an OS image use a Live CD or D/L an image from the OSZOO), capture it in a shell script, give the DE option a name, add the name and shell script to the DM's lists in /etc/X11/xinit/*. That's about it.
 
Old 02-03-2008, 08:39 PM   #11
shadowsnipes
Senior Member
 
Registered: Sep 2005
Distribution: Slackware
Posts: 1,442

Rep: Reputation: 70
There are ways to keep a static guest environment using the solution that gnashley and I proposed to you as well.

One way to do this is to first create a normal account and setup the default options and settings.
After that is done you can back up that users folder somewhere safe.
Delete the contents of the users home folder and set it up so that upon login those original contents will be copied into the guest's home folder and any extraneous contents will be deleted. This copy/delete process can easily be accomplished using rsync with the --delete option.

You could also mount the user's home folder and the tmp directory on a ramfs.
 
Old 02-04-2008, 11:36 AM   #12
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by shadowsnipes View Post
There are ways to keep a static guest environment using the solution that gnashley and I proposed to you as well.

One way to do this is to first create a normal account and setup the default options and settings.
After that is done you can back up that users folder somewhere safe.
Delete the contents of the users home folder and set it up so that upon login those original contents will be copied into the guest's home folder and any extraneous contents will be deleted. This copy/delete process can easily be accomplished using rsync with the --delete option.

You could also mount the user's home folder and the tmp directory on a ramfs.
Thanks for the idea. I think I will create a default home environment, back it up, then restore it when guests leave instead of at every login. That way they can have a desktop environment where they can save files and what not for the duration of their stay.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there a Guest account on FC5? Antarctica Fedora 1 09-05-2006 12:59 AM
samba guest account questions gsgleason Linux - Software 1 10-21-2005 09:59 PM
creating a guest account tardigrade Linux - General 2 02-04-2005 04:33 PM
Securing guest login jpc82 Linux - Security 1 05-02-2004 01:38 PM
Understanding the guest account calabash Linux - Networking 16 03-06-2004 03:49 AM


All times are GMT -5. The time now is 04:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration