Recent versions of the Ubuntu Linux distro fail to limit system access for guest accounts.
This according to developer Tyler Hicks, who reported a bug that allows guest users to roam free of the confines expected to be placed on system access for guests.
Ideally, guest users should be restricted to a small temporary environment when logging into an Ubuntu box – instead they get treated as normal users and can roam the file system as such. Ubuntu's default settings allow users to read other local users' files – guests shouldn't be allowed but can do so anyway, according to the fault report.
Specifically, a Canonical bug report explains that when guest sessions are launched through the LightDM interface, they are normally run under a special AppArmor profile that blocks access to much of the file system.
With Ubuntu 16.10, 17.04, and Ubuntu Artful Aardvark, however, the policy is not enforced, and the guest sessions are instead considered "unconfined." This can be verified by logging in as a guest and opening the terminal and typing
$ cat /proc/self/attr/current
The bug, of course, could be considered a security flaw as it would allow anyone with local access to an Ubuntu machine access to any sensitive files and data on the host machine. The vulnerability has been assigned the entry number CVE-2017-8900.
To protect against attack, the guest access in all three Ubuntu builds has been disabled until a full fix can be developed. Hicks notes that the guest account feature can be manually re-enabled, but that will of course re-expose the vulnerability.
While not a major flaw in any real sense – you need local access to the box to be a guest user – the bug is a bit of an embarrassing moment for Ubuntu. We can only imagine the pointing and laughing that would take place (El Reg included) if a similar bug were to be found in Windows or macOS, so suck it up Canonical and get it fixed. ®