Taking a Closer Look at Leopard’s Guest Account

In this article I will take a closer look at the Guest Account feature of Leopard. I will outline and explain some interesting security issues that I found.

Let’s start simple. Apple describes the Guest Account as follows on their web site:

Guest Login Accounts

Allow anyone to surf the web and check email as a guest on your Mac. When your guest logs out, Mac OS X purges the account, removing any trace of activity. So each time someone logs in as a guest, he or she gets a fresh, unused account.

Also, the Accounts preferences says this about the Guest Account:

Enable the guest account so that friends can temporarily login in to your computer. Logging in to the guest account does not require a password. Users cannot log in to the guest account remotely.

When a guest user logs out, all information and files in the guest’s account’s home folder are deleted.

Apple makes it sound as if the guest account is a quick and secure way to allow a stranger to use your Mac temporarily. This is far from reality though. Guest users have far more access to your computer than you would probably think.

Here are my biggest worries.

• There is no specialized security mode for guests – This is the big one and the core of all the other problems I describe next. If you enable the Guest Account then you are giving the guest user full access to a highly sophisticated UNIX workstation. Aka, your Mac. Guest users can execute any program on your Mac. Start a UNIX shell, poke around. Run exploits, nasty scripts, etc. Make sure you understand what that means.
• Guests have access to real accounts – I was really surprised that the Guest user does not run in some ’sandbox’ environment that limits access to resources. In a simple test I could navigate back to a real account and look in all non-standard folders and even open files there. The standard folders in your home folder, like Library, Deskop, Music or Documents, all have the nice little red stop sign on it, but for example my Projects and Administration folders are NOT protected. I created these by simply doing ‘New Folder’ . Make sure you understand this when you create a guest account. This is probably fixable by tuning the permissions correctly of course, but I had expected that a guest user would not have access to anything related to real users by default.
• Guest Users have full access to some global resources – Here is a worrisome example. My phone is linked with my Mac through Bluetooth. I was under the impression that Bluetooth worked on a per-user basis. This turned out not to be the case: when logged in as the guest user I could simply start the BlueTooth File Exchange application and browse the contents of the phone. Again you would assume that a guest user would have limited access. Wrong again.
• Guest users CAN leave files behind – On the 300+ New Features page Apple says “When your guest logs out, Mac OS X purges the account, removing any trace of activity.“. This sounds to me like they mean that the guest user can leave no stuff on your computer. That is simply not true: I logged in as the guest user and dropped files in /Users/Shared and /tmp. I then logged out and switched to my real account. It should not be a big surprise that these files were still there. There are probably many more directories with wrong permissions where a guest user can drop files.
• Background processes started by guests keep running – even after logging out – As a simple test I opened a terminal window and started ’screen’. The ’screen’ utility is a simple tool to put a terminal session in the background and pick it up later. I was able to run ‘top’ in a screen session, log out from the guest account, log back in, and pick up the session again, with the top tool running in it. Again this is not something most people realize. It is trivial for a guest to keep software running on your Mac. I don’t understand why all the guest processes are not killed when the guest user logs out.
• Guest users CAN log in to your mac remotely – As I explained in the previous point it is trivial to keep a background process running. Even when the guest user is logged out. This also means that it is trivial to start a little server in the background that allows someone to connect back to your Mac. One could easily write a little FTP or Shell server in Python or Perl for example.

I am not really surprised that a full UNIX account has so much access. I AM surprised however that the guest account actually IS a full UNIX account. I am also very surprised that Apple did not use any of the security mechanisms available in Leopard to limit what guest users can do. Fixing and improving this would be nice. Apple should at least educate and explain users what the security implications of the Guest Account are.

If you still insist to have a Guest Account on your system then I strongly suggest you use the Parental Controls to give this account as less possible permissions and access. You can use a Simple Finder and select just a bunch of Applications.

The Simple Finder is also not a fully secure solution though The core problem stays: the guest account is by nature still a full unix account. For example, in my test setup I enabled the Simple Finder and configured it so that only Safari can be started. You can’t browse the full filesystem from the Simple Finder anymore, but using Safari and file:// URLs or simply by selecting Open… from the File menu I was still able to browse the whole disk and real user’s home directories.

The Guest Account could have been implemented in a much better way. Leopard has many improvements like the sandbox facility, signed applications, access control lists and a new firewall. Not letting the Guest Account use any of these features is a big missed opportunity.

Hey I did not use the word Lame. Oops!