Additional AppArmor profile settings for lightdm-guest-session in openSUSE 13.2

Currently openSUSE's lightdm package comes with guest account support disabled (relevant files not installed). Is there any reason for this?

I'm working on a X11:Utilities/lightdm branch where I've re-introduced guest account scripts adapted from Ubuntu.

I'm testing it in an openSUSE 13.2 installation. Guest account creation/removal are working fine, but for some reason I don't know, guest sessions are still aborting.

My branch:

https://build.opensuse.org/package/show/home:lbssousa:branches:X11:Utilities/lightdm

The guest session allows potentially untrusted users to log in without a password and implies severely restricted privileges and confinement of the temporary guest user account (see https://help.ubuntu.com/stable/ubuntu-help/shell-guest-session.html).
The script that comes with lightdm is specific to Ubuntu with lots of details that that are different or do not apply to openSUSE (and the reason why it is in the debian/ directory), it's probably better to start from scratch than trying to adapt it. And creating and removing a temporary user is the easy part, the hard part is to make the guest account reasonably secure and to restrict privileges that regular local users have. That is, you would need to develop a custom Apparmor profile tailored for openSUSE and also custom PolicyKit policies for guest users.
That would require a lot of effort, time and knowledge on distribution details, PolicyKit, and AppArmor as well as ongoing maintenance since you'd need to keep on top of thing when paths, DBus interfaces etc. change. Guest accounts are not so much a feature of LightDM but the whole distribution which is probably why to my knowledge no other distribution than Ubuntu supports them.
At least I don't have the time and necessary expertise in AppArmor to implement and maintain this, so I'm closing this. If you do, feel free to work on this and you probably want to coordinate this with the security team.

I've managed to make guest login work!

My guest-account creation script (ported from Ubuntu) is available in my lightdm branch (link above). The relevant changes are:

* Replace /etc/default/locale with /etc/sysconfig/language (and export LANG=$RC_LANG)

* Replace "adduser with --gecos option" with useradd (followed by chfn to set GECOS)

* Rename UID variable to GUEST_UID (systemd is telling me that special variable UID is read-only).

* Replace /media with /run/media

The hardest part was debugging AppArmor profile. After some struggle, I've found that the following settings need to be added in lightdm-guest-session AppArmor profile:

# Needed to exec /etc/X11/xdm/Xsession, openSUSE'd default session-wrapper.
/etc/X11/xdm/** ix,

# Needed to exec /etc/X11/xinit/xinitrc and /etc/X11/xinit/xinitrc/xdg-user-dirs.sh, called by /etc/X11/xdm/Xsession.
/etc/X11/xinit/** ix,

# openSUSE mounts USB sticks under /run/media, not /media.
owner /run/media/ r,
owner /run/media/** rmwlixk,

I've opened a bug at Launchpad to ask if these settings could be upstreamed. See also: https://bugs.launchpad.net/lightdm/+bug/1391955

Reopening and following up on sr#261371.

From a brief look at rev. 14 of home:lbssousa:branches:X11:Utilities/lightdm:

- on openSUSE uids until 1000 are reserved for system users
- locale directory for lightdm is /usr/share/locale
- autostart stuff should be adapted to openSUSE
  - e.g. pk-update-icon.desktop disabled instead of update-notifier.desktop etc.
- what happens when screensavers lock which are not covered by the script, e.g. xscreensaver, the MATE screensaver etc., unlike Ubuntu we have 7 supported desktops in openSUSE
- the Unity-specific stuff can probably be removed
- I'm not sure HOME on tmpfs is a good idea, trivial to DOS and even without malicious intent it does not seem to be a good choice on memory-limited systems
- most importantly, as I already pointed out, there need to be separate, more restricted PolicyKit policies for guest users, currectly an active local user can e.g. shutdown the system or install updates without a password, maybe the restricted preset can be somewhat re-used for this, please get in touch with the security team via <email address hidden>
- due to the sensistive nature of allowing passwordless logins of untrusted users, this should be disabled by default, that is guest-session = False
- once finished, the wrapper script, PolicyKit policy, and AppArmor profile should be reviewed by the security team
- finally, are you willing to maintain guest-session support and e.g. maintain the scripts, polciies and handle gust-session specific bugs?

This is automated batch bugzilla cleanup.

The openSUSE Tumbleweed changed its development model at the end of
year 2014. [1]
Which means that most of the older bugs are reported against completely
different product than the current release of openSUSE Tumbleweed.

There is very high probability that this bug is no-longer relevant at all.
As a result we are closing this bug.

If you can reproduce this bug against a current Tumbleweed installation of
openSUSE, or you can still observe it under openSUSE Leap 15.0, please
feel free to reopen this bug.

Thank you for reporting this bug and we are sorry it was not resolved
under the old product.

[1] https://en.opensuse.org/Portal:Tumbleweed