Locking Guest Accounts
Some days after configuring a guest account on my HP computer, I thought about a simple way a guest could sniff through the system.
I configure GRUB with both a run level 5 and a run level 3 boot. The latter option is intended primarily for administrative maintenance. A guest could select the second option, log in, and sniff around the system. Not that would help a lot as the house guest would not know passwords to look into the other accounts.
Booting to run level 1 requires a root login and is not a concern with the guest account.
After configuring the guest desktop environment such that the guest user could not toggle to alternate consoles, I did not like this little backdoor.
First I tried using
passwd -l guest in the
rc.local script. If the run level is not run level 5, then run the passwd command to disable the account. That seemed like a decent approach — unless the user boots to run level 5. At that point nobody is logged and toggling to alternate consoles remains possible. Oops the guest user can login.
Next I thought about using
rc.local. When that file exists only root can log in. Yet that means my normal non-root account can't login either and all non-root accounts are disabled at the GUI login manager.
I finally settled on a sneakier way. In the guest account
~/.profile bash startup script I added the following to the beginning of the file:
trap '' 2
This does not affect the GUI login manager, but when a user boots to run level 3 and tries to login with the guest account, the user is immediately logged out. The trap command disables
Ctrl+C, which then prevents the user from trying to interrupt the login process.