[systemd-devel] Should systemd-logind provide a DM-independent mechanism for handling guest accounts?

Daniel J Walsh dwalsh at redhat.com
Tue Nov 11 14:56:37 PST 2014 

It would be fairly easy to setup pam_namespace for the guest user to
provide
a temporary /tmp and ~/.  Now, just like we do for xguest.

Then you could setup the login account to use no password and the
guest_u user
and allow users onto the system. 

This would get you most of the things you want.  The problems would be
in having
multiple users get access to the machine at the same time.  For this you
need something
that generates a UID on the fly for the user.  I would expect a fairly
simple pam module
could be done for this. 

One problem with this though would be a user might log in as guest user
but endup getting
the guest134 user account.

This means you would want some kind of sssd interaction, so a user
executing id  or ls -lZ ~/

Would see all of his files and processes running as guest.

Taking advantages of other namespaces to setup additional containment
might also be interesting
especially the pid namespace. 

On 11/10/2014 04:36 PM, Lennart Poettering wrote:
> On Mon, 10.11.14 16:41, LaƩrcio de Sousa (laerciosousa at sme-mogidascruzes.sp.gov.br) wrote:
>
>> Hi there!
>>
>> Currently there are few alternatives for implementing guest accounts in
>> Linux systems. I know only two: an AppArmor-based approach implemented in
>> LightDM, and a SELinux-based approach implemented in Fedora's package
>> "xguest" that works with GDM. There's no option for console guest login
>> (should it be needed?).
>>
>> I was thinking if systemd-logind could handle itself guest accounts in the
>> future, making it available for use by any display manager (and even
>> console logins, who knows?).
>>
>> What do you think about it?
> I figure this pays into the whole concept of dynamic users, which we
> really want to have eventually, to deal with dynamic allocation of
> UIDs for user namespacing in container managers, for allocating
> per-seat users for gdm login screens, and then also for your usecase,
> i.e. to implement guest users that go away entirely on logout.
>
> So yeah, it's definitely something we want, and I figure it should be
> added to the systemd project in some way.
>
> Lennart
>

More information about the systemd-devel mailing list