9

I want a guest account just like in Ubuntu which has following features:

  1. It does not require password to login
  2. A new home folder (in /tmp if possible) is created with no data every time
  3. User data is deleted as soon as he/she logs out
  4. User can not use sudo

I am running Gnome 3.20 on Arch Linux

NOTE: please don't close my question as duplicate of Create guest account with restricted access to applications because that question does not have answers to my 2nd and 3rd point

Community
  • 1
Alex Jones
  • 6,223
  • 17
  • 51
  • 83
  • This is relevant. Perhaps even a dupe if the answer works for you: [Create guest account with restricted access to applications](http://unix.stackexchange.com/a/205418). – terdon Jan 29 '16 at 14:31
  • @terdon it looks like a work around and not exactly like Ubuntu – Alex Jones Jan 29 '16 at 14:32
  • I have no idea how Ubuntu does it. If you need "exactly like Ubuntu", you'll have to [edit] your question and explain what that means. However, the links provided in the linked answer give the ways you can limit a user's authority and are almost certainly how Ubuntu has implemented whatever they've implemented behind the scenes. Try it. – terdon Jan 29 '16 at 14:34

2 Answers2

11

It turns out it's quite simple with GDM. I assume you're using GDM since you're also using Gnome. First, create the guest user account with a blank password:

sudo useradd -d /tmp/guest -p $(openssl passwd "") guest

The openssl passwd "" will return the hash of the empty string, thereby setting the password to blank.

Now, all you need are these two scripts:

  • /etc/gdm/PostLogin/Default

This is executed after you log in and will create the /tmp/$guestuser (/tmp/guest by default) directory and copy the default files from /etc/skel to it. To change the default username for the guest user, set guestuser to something else at the beginning.

 <!-- language: lang-bash -->

    #!/bin/sh

    guestuser="guest"

    ## Set up guest user session
    if [ "$USER" = "$guestuser" ]; then
        mkdir /tmp/"$guestuser"
        cp /etc/skel/.* /tmp/"$guestuser"
        chown -R "$guestuser":"$guestuser" /tmp/"$guestuser"
    fi
    exit 0
  • /etc/gdm/PostSession/Default

This is executed after you log out and will remove the /etc/$guestuser directory and all its contents. Make sure to set guestuser to the same value in both scripts.

 <!-- language: lang-bash -->

    #!/bin/sh

    guestuser="guest"

    ## Clear up the guest user session
    if [ "$USER" = "$guestuser" ]; then
        rm -rf /tmp/"$guestuser"
    fi

    exit 0

Finally, make the two scripts executable:

sudo chmod 755 /etc/gdm/PostLogin/Default  /etc/gdm/PostSession/Default

Now, just log out and you will see your new guest user. You can log in by selecting it and hitting Enter when prompted for a password. The guest user won't be able to use sudo since that is the default for all users anyway. Only users explicitly mentioned in /etc/sudoers or those who are members of groups explicitly mentioned in sudoers (such as wheel or sudo, depending on your distribution) can use sudo.

If you are using a recent version of GDM, it may disable the login button while the password box is empty. To work around this you can tell GDM not to prompt for the password for specific groups. The caveat is that this will also bypass the session selection menu for members of that group. If you want to do this you should add this line at the beginning of /etc/pam.d/gdm-password:

auth sufficient pam_succeed_if.so user ingroup guest
terdon
  • 234,489
  • 66
  • 447
  • 667
  • why do you have to `chmod` those files? there is no need of that, because those scripts are run by root – Alex Jones Jan 29 '16 at 19:13
  • 1
    @edwardtorvalds so? What difference does that make? Root can't execute non-executable files. And yes, you do need it because I tried it without making them executable and it failed. It would appear the scripts are being run directly (`/path/to/script`) and not as arguments to `sh`. Which makes sense since the examples provided included a shebang line. – terdon Jan 29 '16 at 19:17
  • On Login screen, your solution requires to press enter without entering anything which worked in 3.16. In newer gnome (probably from 3.18) you cannot press enter without entering anything. so work around is to keep hashed password section in `/etc/shadow` empty. – Alex Jones Apr 13 '16 at 12:28
  • since `/tmp/guest/` folder does not exists on startup, shadow service of systemd is failing every time – Alex Jones May 08 '16 at 06:03
  • I added a paragraph on using PAM to bypass the gdm password prompt – MattSturgeon Mar 16 '17 at 15:54
  • @MattSturgeon thanks. I assume you've tested that, right? – terdon Mar 16 '17 at 15:55
  • @terdon works fine on my arch machine. It was actually required since gdm now won't attempt to login until you have entered a password. May be worth double checking that `useradd` always creates a default group (on all unix distros), since the PAM line uses groups. – MattSturgeon Mar 16 '17 at 15:57
  • 1
    @MattSturgeon yeah, it seems perfectly reasonable, I just asked because since I haven't tested it, I couldn't know whether it works. Great edit, thanks! – terdon Mar 16 '17 at 15:58
  • What will happen if two people (try to) login as “guest” simultaneously? Will the second one succeed?  (I don’t see anything that would stop it.) Will the `PostLogin` script run again when the second user logs in?  (This would overwrite the `/tmp/guest` **`.*`** files, which shouldn’t be an issue, since it would be (somewhat) silly for the (first) user to edit them.)  Will the `PostSession` script run when the first user logs out?  (This would delete the `/tmp/guest` directory, which might greatly inconvenience the second user.) – G-Man Says 'Reinstate Monica' Jun 22 '17 at 07:20
  • @G-Man yes, good point. It will probably break if two guest accounts log in at the same time. – terdon Jun 22 '17 at 08:08
  • This only worked for me after I replaced `#!/bin/sh` with `#!/bin/bash` because the `if` statement was failing with `sh` for some reason. Took me 15 minutes of testing and debugging. – tjespe Nov 06 '17 at 20:03
  • I had to replace the if statement on PostSession script, not sure why, maybe it runs as gdm user and not guest? So just tries to delete the guest drive when anyone logs out now, but it works! – 43Tesseracts Jun 12 '20 at 18:30
  • @43Tesseracts sorry, my bad. The `if [[` is a bash thing, so it works if your `/bin/sh` is pointing to bash, but not if it is pointing to some other shell (e.g. `dash` as is the case on Debian and Ubuntu). The updated answer should work for all of them. – terdon Jun 12 '20 at 18:38
2

You could make use of logoff scripts. There you can delete the home folder for your guest account and create a new one on logout. If necessary, you could make it sudoable by the guest account via visudo. Add yourguestacc ALL=(root) NOPASSWD: /path/to/script/recreating/the/home/folder. See the arch wiki for further information.

Community
  • 1
nox
  • 161
  • 6