My home office is actually just a desk in the den. The den also has a soft comfy couch, fireplace, and a large TV. This makes it a popular room for my teenager and her friends. It is also a place where the family relaxes and watches TV at night. Because of this traffic, people often want to use my computer. So I started looking for a way to allow guest access to my system. Preferably, an account that does not save anything, cannot install anything and leaves no trace of the person when they log out. This is when I happened upon the xguest package.
xguest - Least Privileged X User
The xguest package creates a Guest account with a special SELinux (Security Enhanced Linux) policy. It uses this policy to control the user's access. The user is very restricted and can basically log in and use a browser to access the internet. The SELinux policy also restricts a lot of network ports (like SSH connections) but allows most local applications to run. Also, nothing is saved past the current session. Xguest generates a temporary file system when the Guest account logs in, and it's destroyed when they log out. This means that when the xguest user logs off, or the system rebooted, anything created by the user is gone (cookies, files, cache, etc.).
The xguest user account was designed as a least privilege account for use on kiosks and other open systems that require a graphical interface. The SELinux policy can be changed (and booleans set) to further restrict or expand the users permissions.
This was tested on Red Hat 8, CentOS 7 and Fedora 31. The package is available to all three of these systems. As far as I can tell, the xguest package is not available on Ubuntu.
Pros
- Great for Security
- No access to sudo or su
- Cannot access regular users data or configuration files
- Very restrictive out of the box (SSH, and other common ports are blocked)
- Allows user to run most local applications (Browsers, Libre Office, etc..)
- Very flexible (w/ SELinux knowledge)
- Simple to install and use
Cons
- SELinux has a steep learning curve, not very friendly
- Seems to only be available or Red Hat variants
- Gnome specific utility - Gnome is the default display manager for Red Hat, CentOS, Fedora and other Red Hat variants
Prerequisites for xguest
As discussed above, the xguest packages uses SELinux to secure the Guest account. In order for this to happen, you MUST have SELinux enabled and in enforcing mode. You can check the SELinux status using the sestatus command.
In addition, you must be using the Gnome Display Manager. Gnome is the default display manager for Red Hat, CentOS, Fedora and most other Red Hat variants.
Installing the xguest Package
You can easily install the xguest package using yum or dnf package managers.
Installing xguest with yum (CentOS 7 / Red Hat 7)
sudo yum install xguest
Installing xguest with dnf (Red Hat 8, CentOS 8, Fedora)
sudo dnf install xguest
Available Booleans for xguest Account
There are several pre-defined booleans to allow flexibility for the xguest account. Here are some of the more popular booleans. For a complete list of booleans and allowed tcp ports see the man page in the resources and links section below.
- xguest_mount_media - Allows guest to mount removable media
- xguest_connect_network - Allow xguest to confgure Network Manager, connect to wifi, etc
- xguest_exec_content - Allow xguest to execute files in their home directory and tmp
- xguest_use_bluetooth - Allow xguest to use bluetooth devices
Logging In as Guest
There is no configuration necessary once the package is installed. You will see a user named "Guest" on your GDM login screen. Simply click the user to log in.
The Guest user can now surf the internet, log into their email, and basically do anything within Firefox. They can save files, create documents and send them via email, etc. Once they log out, all of it is gone.
Caveats and Workarounds
One thing that I came across working with the xguest is the Gnome initial setup runs every time the Guest account logs in. This is annoying, especially when I was using the system for a Kiosk. If you have the same problem read "Disable Gnome Initial Setup Screen".
Conclusion
The xguest package worked great for creating a non-privileged account for house guests to use. I have also used it on other projects, including to create check-in kiosks at a local business. If you have experience with SELinux you can really lock it down to only what is required to accomplish a specific task.