Ubuntu Decreases Security and Calls it a Feature

Friday, November 18, 2011

Dan Dieterle


Have you played with the latest version of Ubuntu yet? Ubuntu 11.10 named Oneiric Ocelot (Who makes up these names?), was released last month and comes with a couple surprises.

When you boot it up, you will see two differences. First of all, the standard Gnome Desktop is not installed by default. Unity, which was an option in 11.04, is now the standard desktop.

Unity is a graphical interface that makes your system look more like the latest fad tablet Operating Systems. I hated it at first, but it has grown on me.

Don’t like it? No worries, you can install the classic gnome interface with the following command:

sudo apt-get install gnome-panel

But the second addition is the most concerning. If you look at the user list there is a new user present – “Guest Session”. There is no security on this account. Just select “Guest Session”, leave the password blank and log in!

Okay, I know, you need to be an admin to be able to run anything potentially damaging. If you log into the Guest account and try to run a system command you get “Permission Denied”. And you still need the root password to install software and execute the ‘SUDO’ command.

So what is the problem?

It is an opening, a small crack. And where there is a crack, there is an opportunity for exploit. Microsoft learned this lesson years ago and has since disabled the Guest account by default.

Why would Ubuntu do this?

“The Guest account is not really a problem, and it’s been there a long time, it’s just that it’s a bit more obvious now that it’s listed in the login screen.”, Mentions an Ubuntu team member in a support forum.

Luckily he also mentions how to disable it, because the user does not show up in the user list!

You can disable the guest account (in 11.10 only) by editing the /etc/lightdm/lightdm.conf and add the line:


You will need to reboot for this to take effect.

When I first heard about this, I updated one of my Ubuntu 11.04 systems to 11.10 to see if this was true. Sure enough, after the update was complete and the system rebooted – I had a “Guest Session” account. I did not have any guest users enabled on my system before.

Don’t get me wrong, I love Ubuntu, am an avid user and highly recommend it. But enabling users with no passwords by default? Call it a feature I guess?

Cross-posted from Cyber Arms

Possibly Related Articles:
Operating Systems
Information Security
Passwords Access Control Vulnerabilities Ubuntu Security Oneiric Ocelot
Post Rating I Like this!
Dan Dieterle My buddy Adam wrote a great follow up to this article on his blog "DT's Guide to Life and Linux".

Adam shows that a remote shell to the guest account is possible if the guest user does not follow safe surfing rules when on the internet:

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.