Putorius
Miscellaneous, Security

xguest - Guest Access / Kiosk Mode on a Linux System

Hotel guest book or comments book and service bell at reception

My home office is actually just a desk in the den. The den also has a soft comfy couch, fireplace, and a large TV. This makes it a popular room for my teenager and her friends. It is also a place where the family relaxes and watches TV at night. Because of this traffic, people often want to use my computer. So I started looking for a way to allow guest access to my system. Preferably, an account that does not save anything, cannot install anything and leaves no trace of the person when they log out. This is when I happened upon the xguest package.

xguest - Least Privileged X User

The xguest package creates a Guest account with a special SELinux (Security Enhanced Linux) policy. It uses this policy to control the user's access. The user is very restricted and can basically log in and use a browser to access the internet. The SELinux policy also restricts a lot of network ports (like SSH connections) but allows most local applications to run. Also, nothing is saved past the current session. Xguest generates a temporary file system when the Guest account logs in, and it's destroyed when they log out. This means that when the xguest user logs off, or the system rebooted, anything created by the user is gone (cookies, files, cache, etc.).

The xguest user account was designed as a least privilege account for use on kiosks and other open systems that require a graphical interface. The SELinux policy can be changed (and booleans set) to further restrict or expand the users permissions.

This was tested on Red Hat 8, CentOS 7 and Fedora 31. The package is available to all three of these systems. As far as I can tell, the xguest package is not available on Ubuntu.

Pros

  • Great for Security
    • No access to sudo or su
    • Cannot access regular users data or configuration files
    • Very restrictive out of the box (SSH, and other common ports are blocked)
  • Allows user to run most local applications (Browsers, Libre Office, etc..)
  • Very flexible (w/ SELinux knowledge)
  • Simple to install and use

Cons

  • SELinux has a steep learning curve, not very friendly
  • Seems to only be available or Red Hat variants
  • Gnome specific utility - Gnome is the default display manager for Red Hat, CentOS, Fedora and other Red Hat variants

Prerequisites for xguest

As discussed above, the xguest packages uses SELinux to secure the Guest account. In order for this to happen, you MUST have SELinux enabled and in enforcing mode. You can check the SELinux status using the sestatus command.

In addition, you must be using the Gnome Display Manager. Gnome is the default display manager for Red Hat, CentOS, Fedora and most other Red Hat variants.

Installing the xguest Package

You can easily install the xguest package using yum or dnf package managers.

Installing xguest with yum (CentOS 7 / Red Hat 7)

sudo yum install xguest

Installing xguest with dnf (Red Hat 8, CentOS 8, Fedora)

sudo dnf install xguest 

Available Booleans for xguest Account

There are several pre-defined booleans to allow flexibility for the xguest account. Here are some of the more popular booleans. For a complete list of booleans and allowed tcp ports see the man page in the resources and links section below.

Logging In as Guest

There is no configuration necessary once the package is installed. You will see a user named "Guest" on your GDM login screen. Simply click the user to log in.

The Guest user can now surf the internet, log into their email, and basically do anything within Firefox. They can save files, create documents and send them via email, etc. Once they log out, all of it is gone.

Caveats and Workarounds

One thing that I came across working with the xguest is the Gnome initial setup runs every time the Guest account logs in. This is annoying, especially when I was using the system for a Kiosk. If you have the same problem read "Disable Gnome Initial Setup Screen".

Conclusion

The xguest package worked great for creating a non-privileged account for house guests to use. I have also used it on other projects, including to create check-in kiosks at a local business. If you have experience with SELinux you can really lock it down to only what is required to accomplish a specific task.

Resources and Links

Exit mobile version