Locking Guest Accounts

Some days after configuring a guest account on my HP computer, I thought about a simple way a guest could sniff through the system.

I configure GRUB with both a run level 5 and a run level 3 boot. The latter option is intended primarily for administrative maintenance. A guest could select the second option, log in, and sniff around the system. Not that would help a lot as the house guest would not know passwords to look into the other accounts.

Booting to run level 1 requires a root login and is not a concern with the guest account.

After configuring the guest desktop environment such that the guest user could not toggle to alternate consoles, I did not like this little backdoor.

First I tried using passwd -l guest in the rc.local script. If the run level is not run level 5, then run the passwd command to disable the account. That seemed like a decent approach — unless the user boots to run level 5. At that point nobody is logged and toggling to alternate consoles remains possible. Oops the guest user can login.

Next I thought about using /etc/nologin through rc.local. When that file exists only root can log in. Yet that means my normal non-root account can't login either and all non-root accounts are disabled at the GUI login manager.

I finally settled on a sneakier way. In the guest account ~/.profile bash startup script I added the following to the beginning of the file:

trap '' 2


This does not affect the GUI login manager, but when a user boots to run level 3 and tries to login with the guest account, the user is immediately logged out. The trap command disables Ctrl+C, which then prevents the user from trying to interrupt the login process.

Posted: Category: Tutorial, Usability Tagged: General

Next: How to Waste the Day

Previous: CentOS Again