Ubuntu Decreases Security and Calls it a Feature?
Have you played with the latest version of Ubuntu yet? Ubuntu 11.10 named Oneiric Ocelot (Who makes up these names?), was released last month and comes with a couple surprises.
When you boot it up, you will see two differences. First of all, the standard Gnome Desktop is not installed by default. Unity, which was an option in 11.04, is now the standard desktop. Unity is a graphical interface that makes your system look more like the latest fad tablet Operating Systems. I hated it at first, but it has grown on me.
Don’t like it? No worries, you can install the classic gnome interface with the following command:
sudo apt-get install gnome-panel
But the second addition is the most concerning. If you look at the user list there is a new user present – “Guest Session”. There is no security on this account. Just select “Guest Session”, leave the password blank and log in!
Okay, I know, you need to be an admin to be able to run anything potentially damaging. If you log into the Guest account and try to run a system command you get “Permission Denied”. And you still need the root password to install software and execute the ‘SUDO’ command. So what is the problem?
It is an opening, a small crack. And where there is a crack, there is an opportunity for exploit. Microsoft learned this lesson years ago and has since disabled the Guest account by default.
Why would Ubuntu do this?
“The Guest account is not really a problem, and it’s been there a long time, it’s just that it’s a bit more obvious now that it’s listed in the login screen.”, Mentions an Ubuntu team member in a support forum.
Luckily he also mentions how to disable it, because the user does not show up in the user list!
You can disable the guest account (in 11.10 only) by editing the /etc/lightdm/lightdm.conf and add the line:
You will need to reboot for this to take effect.
When I first heard about this, I updated one of my Ubuntu 11.04 systems to 11.10 to see if this was true. Sure enough, after the update was complete and the system rebooted – I had a “Guest Session” account. I did not have any guest users enabled on my system before.
Don’t get me wrong, I love Ubuntu, am an avid user and highly recommend it.
But enabling users with no passwords by default? Call it a feature I guess?