Provide a guest session account by default
It is very common to lend someone else a laptop for a quick email check, or having one's computer play music and be a surf station on a party.
Instead of requiring people to create guest accounts with widely known or empty passwords, Ubuntu should set up a locked down guest account with a temporary home directory by default, where an existing user must authenticate the start of a guest session. This avoids passwordless accounts, which are a security threat.
Blueprint information
- Status:
- Complete
- Approver:
- Scott James Remnant (Canonical)
- Priority:
- High
- Drafter:
- Martin Pitt
- Direction:
- Needs approval
- Assignee:
- Martin Pitt
- Definition:
- Approved
- Series goal:
- Accepted for intrepid
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Martin Pitt
- Completed by
- Martin Pitt
Related branches
Whiteboard
Done:
- gdm patch
- gdm-guest-session package (temporary user and home dir)
- AppArmor rules
- deny at access ("guest" already happens to be in default at.deny)
- deny cron access (by AppArmor rules, denying to write into /var/spool/cron)
- suppression on live system
- network access restricted to TCP and UDP.
- package promoted to main and seeded, ubuntu-meta rebuilt
- fusa integration
- test case/release note in spec