Taking a Closer Look at Leopard’s Guest Account
In this article I will take a closer look at the Guest Account feature of Leopard. I will outline and explain some interesting security issues that I found.
Let’s start simple. Apple describes the Guest Account as follows on their web site:
Guest Login Accounts
Allow anyone to surf the web and check email as a guest on your Mac. When your guest logs out, Mac OS X purges the account, removing any trace of activity. So each time someone logs in as a guest, he or she gets a fresh, unused account.
Also, the Accounts preferences says this about the Guest Account:
Enable the guest account so that friends can temporarily login in to your computer. Logging in to the guest account does not require a password. Users cannot log in to the guest account remotely.
When a guest user logs out, all information and files in the guest’s account’s home folder are deleted.
Apple makes it sound as if the guest account is a quick and secure way to allow a stranger to use your Mac temporarily. This is far from reality though. Guest users have far more access to your computer than you would probably think.
Here are my biggest worries.
- There is no specialized security mode for guests – This is the big one and the core of all the other problems I describe next. If you enable the Guest Account then you are giving the guest user full access to a highly sophisticated UNIX workstation. Aka, your Mac. Guest users can execute any program on your Mac. Start a UNIX shell, poke around. Run exploits, nasty scripts, etc. Make sure you understand what that means.
- Guests have access to real accounts – I was really surprised that the Guest user does not run in some ‘sandbox’ environment that limits access to resources. In a simple test I could navigate back to a real account and look in all non-standard folders and even open files there. The standard folders in your home folder, like Library, Deskop, Music or Documents, all have the nice little red stop sign on it, but for example my Projects and Administration folders are NOT protected. I created these by simply doing ‘New Folder’ . Make sure you understand this when you create a guest account. This is probably fixable by tuning the permissions correctly of course, but I had expected that a guest user would not have access to anything related to real users by default.
- Guest Users have full access to some global resources – Here is a worrisome example. My phone is linked with my Mac through Bluetooth. I was under the impression that Bluetooth worked on a per-user basis. This turned out not to be the case: when logged in as the guest user I could simply start the BlueTooth File Exchange application and browse the contents of the phone. Again you would assume that a guest user would have limited access. Wrong again.
- Guest users CAN leave files behind – On the 300+ New Features page Apple says “When your guest logs out, Mac OS X purges the account, removing any trace of activity.“. This sounds to me like they mean that the guest user can leave no stuff on your computer. That is simply not true: I logged in as the guest user and dropped files in /Users/Shared and /tmp. I then logged out and switched to my real account. It should not be a big surprise that these files were still there. There are probably many more directories with wrong permissions where a guest user can drop files.
- Background processes started by guests keep running – even after logging out – As a simple test I opened a terminal window and started ‘screen’. The ‘screen’ utility is a simple tool to put a terminal session in the background and pick it up later. I was able to run ‘top’ in a screen session, log out from the guest account, log back in, and pick up the session again, with the top tool running in it. Again this is not something most people realize. It is trivial for a guest to keep software running on your Mac. I don’t understand why all the guest processes are not killed when the guest user logs out.
- Guest users CAN log in to your mac remotely – As I explained in the previous point it is trivial to keep a background process running. Even when the guest user is logged out. This also means that it is trivial to start a little server in the background that allows someone to connect back to your Mac. One could easily write a little FTP or Shell server in Python or Perl for example.
I am not really surprised that a full UNIX account has so much access. I AM surprised however that the guest account actually IS a full UNIX account. I am also very surprised that Apple did not use any of the security mechanisms available in Leopard to limit what guest users can do. Fixing and improving this would be nice. Apple should at least educate and explain users what the security implications of the Guest Account are.
If you still insist to have a Guest Account on your system then I strongly suggest you use the Parental Controls to give this account as less possible permissions and access. You can use a Simple Finder and select just a bunch of Applications.
The Simple Finder is also not a fully secure solution though The core problem stays: the guest account is by nature still a full unix account. For example, in my test setup I enabled the Simple Finder and configured it so that only Safari can be started. You can’t browse the full filesystem from the Simple Finder anymore, but using Safari and file:// URLs or simply by selecting Open… from the File menu I was still able to browse the whole disk and real user’s home directories.
The Guest Account could have been implemented in a much better way. Leopard has many improvements like the sandbox facility, signed applications, access control lists and a new firewall. Not letting the Guest Account use any of these features is a big missed opportunity.
Hey I did not use the word Lame. Oops!
While most Unix vets consider a guest account the least trustable, Apple’s guests seem to simply be regular accounts that have a special clean-up done after log out. Apple’s guests are probably more common with visiting relatives, while the Unix guest is more typical of a school or copy shop. At the very least the vocabulary should change if the features don’t.
As for the file destroying features for household guests, I’d like a way the contents of the user’s home folder gets archived and given ownership by an admin rather than being deleted completely and automatically. Would I know where to have Disk Warrior look for Aunt Susan’s resume that she didn’t realize would be deleted when she logged out?
Thanks for your insights. This is a great article.
Cheers,
-Ryan
I really appreciate your analysis here. You’re right that Apple bills this like you could just let anyone use your Mac with this account and not have to worry, but that’s not the case at all. In fact, I’m going to make sure I disable this account on the systems I configure. It’s one extra security hole I don’t want to have to worry about.
Great article. I wish Apple gave us a supported way to totally delete the account so our supported end users (with admin rights) can’t enable it. Here is an unsupported way: http://patgmac.blogspot.com/2007/11/leopard-keeping-guest-account-disabled.html
You may want to warn people about the Guest Account “feature” in Leopard. When turned on, some have reported that when they try to log out of their Admin accounts, the OS warns them that they are actually logged in as a Guest and everything will be erased upon logout, and then proceeds to do it. There is a work around, but if you are not paying attention and do not know about it (which is most people), you could wind up loosing data and having to restore from a backup (or be SOL if you don’t backup). Lucky for me I caught the warning and backed up.
For now it seems best to turn off Guest Account. If you want a guest account, just make one a regular user account rather than enabling the auto-delete function of the official Guest Account.
http://discussions.apple.com/thread.jspa?threadID=1237336&start=0&tstart=0
[...] The Lame LeopardTuttle SVC [...]