Creating a Guest Account
I wanted to add a guest account on my HP desktop. That system is a prophylactic to my two Windows systems. Both Windows 7 and 10 are installed to the hard drive. I run the Windows systems through a virtual machine (VM) using raw disk access. The host operating system is Ubuntu MATE 16.04. The machine is on a VLAN, isolated from the house LAN.
I prefer Slackware on my systems, but I retain Ubuntu because of work. I maintain one Ubuntu and one CentOS system because Debian (Proxmox) and CentOS are used at work on servers. Some of the work desktops and laptops have Ubuntu installed. There is a possibility that additional desktops might be installed with Ubuntu, likely Ubuntu MATE.
Mostly these days I keep the Windows systems for some future projects that will involve interoperability testing. Otherwise I seldom use the HP for anything. Hence the idea of creating a guest account for visitors.
I decided this guest account needs a web browser but probably nothing else. I could provide access to some accessories and utilities, such as a calculator, but there are several physical calculators in the house. Well, maybe I’ll add access to Solitaire.
I do not want the guest account having any access to the system. That means no file manager and available apps must not allow any back door access to browse files using file picker dialogs. There is nothing secret or personal on this system, but the idea of a guest account encourages nominal security thinking. A challenge with a guest account is locking the system.
I have some experience with locking desktops. The living room PC is used to stream videos and music from the LAN server. The computer is treated like an appliance. The desktop is locked.
The Ubuntu folks support guest accounts mounted in tmpfs. Originally I thought I wanted that too. I might still pursue the idea of running in tmpfs, but I decided to create an old fashioned account on the hard drive.
I created the account Guest with a password of guest. I copied the existing user account files and updated directory and file permissions. I deleted cruft config files. I configured autostart programs. I pruned the panel.
Using the living room media player as a template, I emulated the Firefox lock down.
I disabled almost all keyboard shortcuts, including Alt+F2.
I configured the desktop with a single Firefox icon. No other app would be available. Then I felt benevolent. I added Solitaire too.
Before I deleted the panel menu button, I searched the web for a way to disable toggling to consoles using the traditional Ctrl+Alt+Fx keys. A once popular method for doing this is using an xorg.conf and the DontVTSwitch option. Sadly, that is a global sledge hammer affecting all users. I wanted only to disable this toggling with the new guest account.
Surprisingly, a few moments of staring into space bubbled a solution. The MATE Control Center provides a keyboard layout tool. In that tool are many xkb options. For example, I like having Ctrl+Alt+Backspace available on all computers. In this guest account challenge, I found what I needed under Miscellaneous compatibility options: Special keys (Ctrl+Alt+<key>) handled in a server. This option is the xkb equivalent of srvrkeys:none, which can be found in the MATE configuration using dconf-editor.
I remembered I might some day need maintenance access. Like the living room media player, I enabled Alt+F2. I deleted the menu button from the panel and logged out. I copied the dconf user file to user-with-alt-f2. I logged in and disabled Alt+F2.
Done.
On this computer I do not lock the BIOS, the GRUB boot loader, or disable USB or the optical disk drive. A live ISO would provide a user access to the computer and bypass the intent of the guest account. I would enable those options if I could not control who used this computer. At the moment I do not expect any guests to try bypassing the guest account, even if they had the knowledge, which they don’t.
Posted: Category: Tutorial, Usability Tagged: General
Next: VirtualBox Shared Folder File Permissions
Previous: Faster Updates