[clug-talk] Ubuntu 9.10 is allowing anonymous logins

Royce Souther osgnuru at gmail.com
Sat Oct 9 21:20:41 PDT 2010


gdm-guest-session package lets users login and then switch over to an
anonymous guest account. This was allowing people to bypass user specific
filters and time restrictions.

I removed that stupid package.

On Sat, Oct 9, 2010 at 9:59 PM, Royce Souther <osgnuru at gmail.com> wrote:

> I have been trying to login as guest but I have not been able to find out
> how users are doing this.
>
>
> On Sat, Oct 9, 2010 at 9:56 PM, Royce Souther <osgnuru at gmail.com> wrote:
>
>> I double checked there is no guest account but I did a grep for guest in
>> /etc/ and found that a temporary guest account was created then deleted.
>>
>> *root at amdX4home[~] #grep guest /etc/*
>> /etc/at.deny:guest
>> /etc/bash_completion:#       of Ubuntu's (and Debian's? :() inner
>> weirdness? :) -- David (hanska-guest)
>> grep: /etc/blkid.tab: No such file or directory
>> /etc/group-:guest:x:123:
>> /etc/gshadow-:guest:!::
>> /etc/passwd-:guest:x:115:123:Guest,,,:/tmp/guest-home.EUt4Kx:/bin/bash
>> /etc/shadow-:guest:*:14892:0:99999:7:::
>> *
>> Check the times for the files*
>> root at amdX4home[~] #ll /etc/passwd*
>> -rw-r--r-- 1 root root 1.9K 2010-10-09 21:09 /etc/passwd
>> -rw------- 1 root root 2.0K 2010-10-09 20:30 /etc/passwd-
>> *
>>
>> Some how users have found a way to automatically create a guest account
>> that is deleted when they log out.
>> I am continuing to search Google but so far I have not found any
>> information about this great new Ubuntu feature that lets users bypass the
>> security system as setup by the root user.
>>
>>
>>
>> On Sat, Oct 9, 2010 at 9:16 PM, Royce Souther <osgnuru at gmail.com> wrote:
>>
>>> I just found out that anonymous users can login to Ubuntu system even if
>>> they do not have an account. They login to Ubuntu 9.10 as user *guest*but there is no such account.
>>>
>>> What the hell? This is a very bad security hole.
>>> How is this possible?
>>> How can I stop it?
>>>
>>> --
>>> Easy, fast GUI development.
>>> http://PerlQt.wikidot.com
>>>
>>
>>
>>
>> --
>> Easy, fast GUI development.
>> http://PerlQt.wikidot.com
>>
>
>
>
> --
> Easy, fast GUI development.
> http://PerlQt.wikidot.com
>



-- 
Easy, fast GUI development.
http://PerlQt.wikidot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://clug.ca/pipermail/clug-talk_clug.ca/attachments/20101009/283f8690/attachment.html>


More information about the clug-talk mailing list