Enabling Guest Session for LightDM

Dear fellows,

I would like to re-active the guest session for LightDM, which is the default display manager of Ubuntu Budgie 18.04. Also I am willing to take the risk for the known security issue which comes along.

My LightDM configuration looks like that:

$ lightdm --show-config 
   [Seat:*]
H  allow-guest=true
C  greeter-wrapper=/usr/lib/lightdm/lightdm-greeter-session
D  guest-wrapper=/usr/lib/lightdm/lightdm-guest-session
E  greeter-session=slick-greeter
F  xserver-command=X -core
G  user-session=budgie-desktop

   [LightDM]
B  backup-logs=false

Sources:
A  /usr/share/lightdm/lightdm.conf.d/50-disable-guest.conf
B  /usr/share/lightdm/lightdm.conf.d/50-disable-log-backup.conf
C  /usr/share/lightdm/lightdm.conf.d/50-greeter-wrapper.conf
D  /usr/share/lightdm/lightdm.conf.d/50-guest-wrapper.conf
E  /usr/share/lightdm/lightdm.conf.d/50-slick-greeter.conf
F  /usr/share/lightdm/lightdm.conf.d/50-xserver-command.conf
G  /etc/lightdm/lightdm.conf.d/50_budgie-desktop.conf
H  /etc/lightdm/lightdm.conf.d/99-enable-guest-session.conf

So, the guest session is available in the login screen.

Now, I want to log in choosing the guest session. First it looks like its working properly. Unfortunately, as soon as the Budgie desktop appears the guest session gets terminated immediately and I find myself back on the login screen again. I simply can’t start a the guest session.

What the log says:

$ journalctl -eu lightdm.service
Apr 06 18:12:34 localhost.localdomain lightdm[7383]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Apr 06 18:12:34 localhost.localdomain lightdm[7383]: PAM adding faulty module: pam_kwallet.so
Apr 06 18:12:34 localhost.localdomain lightdm[7383]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
Apr 06 18:12:34 localhost.localdomain lightdm[7383]: PAM adding faulty module: pam_kwallet5.so
Apr 06 18:12:34 localhost.localdomain lightdm[7383]: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Apr 06 18:12:34 localhost.localdomain lightdm[7467]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Apr 06 18:12:34 localhost.localdomain lightdm[7467]: PAM adding faulty module: pam_kwallet.so
Apr 06 18:12:34 localhost.localdomain lightdm[7467]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
Apr 06 18:12:34 localhost.localdomain lightdm[7467]: PAM adding faulty module: pam_kwallet5.so
Apr 06 18:12:34 localhost.localdomain lightdm[7467]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "janedoe"
Apr 06 18:12:36 localhost.localdomain lightdm[7469]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Apr 06 18:12:36 localhost.localdomain lightdm[7469]: PAM adding faulty module: pam_kwallet.so
Apr 06 18:12:36 localhost.localdomain lightdm[7469]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
Apr 06 18:12:36 localhost.localdomain lightdm[7469]: PAM adding faulty module: pam_kwallet5.so
Apr 06 18:12:36 localhost.localdomain lightdm[7469]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "johndoe"
Apr 06 18:12:38 localhost.localdomain useradd[7495]: new group: name=guest-pfd3rg, GID=997
Apr 06 18:12:38 localhost.localdomain useradd[7495]: new user: name=guest-pfd3rg, UID=998, GID=997, home=/tmp/guest-pfd3rg, shell=/bin/bash
Apr 06 18:12:38 localhost.localdomain su[7508]: Successful su for guest-pfd3rg by root
Apr 06 18:12:38 localhost.localdomain su[7508]: + ??? root:guest-pfd3rg
Apr 06 18:12:38 localhost.localdomain su[7508]: pam_unix(su:session): session opened for user guest-pfd3rg by (uid=0)
Apr 06 18:12:38 localhost.localdomain su[7508]: pam_unix(su:session): session closed for user guest-pfd3rg
Apr 06 18:12:38 localhost.localdomain lightdm[7532]: pam_unix(lightdm-autologin:session): session opened for user guest-pfd3rg by (uid=0)
Apr 06 18:12:42 localhost.localdomain lightdm[1224]: umount: /tmp/guest-pfd3rg: target is busy.
Apr 06 18:12:42 localhost.localdomain lightdm[1224]: umount: /tmp/guest-pfd3rg: not mounted.
Apr 06 18:12:42 localhost.localdomain lightdm[1224]: umount: /tmp/guest-pfd3rg: not mounted.
Apr 06 18:12:42 localhost.localdomain lightdm[1224]: umount: /tmp/guest-pfd3rg: not mounted.
Apr 06 18:12:42 localhost.localdomain lightdm[1224]: umount: /tmp/guest-pfd3rg: not mounted.
Apr 06 18:12:42 localhost.localdomain userdel[8057]: delete user 'guest-pfd3rg'
Apr 06 18:12:42 localhost.localdomain userdel[8057]: removed group 'guest-pfd3rg' owned by 'guest-pfd3rg'
Apr 06 18:12:42 localhost.localdomain userdel[8057]: removed shadow group 'guest-pfd3rg' owned by 'guest-pfd3rg'
Apr 06 18:12:43 localhost.localdomain lightdm[8083]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Apr 06 18:12:43 localhost.localdomain lightdm[8083]: PAM adding faulty module: pam_kwallet.so
Apr 06 18:12:43 localhost.localdomain lightdm[8083]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
Apr 06 18:12:43 localhost.localdomain lightdm[8083]: PAM adding faulty module: pam_kwallet5.so
Apr 06 18:12:43 localhost.localdomain lightdm[8083]: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Apr 06 18:12:45 localhost.localdomain lightdm[8169]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Apr 06 18:12:45 localhost.localdomain lightdm[8169]: PAM adding faulty module: pam_kwallet.so
Apr 06 18:12:45 localhost.localdomain lightdm[8169]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
Apr 06 18:12:45 localhost.localdomain lightdm[8169]: PAM adding faulty module: pam_kwallet5.so
Apr 06 18:12:45 localhost.localdomain lightdm[8169]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "johndoe"
Apr 06 18:12:45 localhost.localdomain lightdm[8171]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Apr 06 18:12:45 localhost.localdomain lightdm[8171]: PAM adding faulty module: pam_kwallet.so
Apr 06 18:12:45 localhost.localdomain lightdm[8171]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
Apr 06 18:12:45 localhost.localdomain lightdm[8171]: PAM adding faulty module: pam_kwallet5.so
Apr 06 18:12:45 localhost.localdomain lightdm[8171]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "janedoe"

There are a lot of recources out in the realm of Google about this topic and many seem to succeed for Ubuntu, but I didn’t find one describing my exact issue. That’s why I wonder, if this might be some Ubuntu Budgie specific issue? I hope some one can help me out.

/EDIT My system is running Ubuntu Budgie 18.04.2 LTS.

Thanks in advance

I can confirm the issue although I don’t have a solution

There seems to be lots and lots of AppArmor Denied messages in journalctl - also budgie-polkit crashed as well - I suspect that is the reason for the failure to start the session since repeated failures of budgie-polkit will crash the session.

Polkit establishes various dbus interfaces - I also see gnome-screensaver not starting

Again - I thought apparmor is probably the issue here but disabling apparmor doesn’t seem to make a difference

sudo systemctl stop apparmor
sudo systemctl disable apparmor

@fossfreedom In the meanwhile I installed flavourless Ubuntu with LightDM in a virtual machine. There the guest session works flawlessly.

Is there any chance my issue might be (Ubuntu) Budgie specific? Maybe I shall file a bug report?

Honestly dont know. Guest session isn’t a subscribed capability by upstream as far as I know. So it will likely need to be debugged and resolved by the ubuntu budgie community.

@fossfreedom It’s been a while but now I found time to test your AppArmor suggestion.

I stopped the AppArmor service and disabled it. First it seemed that these steps didn’t change anything. But then I additionally restarted my computer while keeping the AppArmor service disabled and now my guest sessions works Horray!

With some more testing (enabling and disabling AppArmor) I can confirm, restarting the computer after disabling AppArmor is indeed necessary. I hope this will help others.

Unfortunately, I am not much into what AppArmor is good for. It seems like the Ubuntu way of SELinux, right?

cool - yeah - must have forgot to reboot … slap me with a wet fish…

Anyway - yes, apparmor is Ubuntu’s “strength in depth” solution - protects applications themselves rather than just a firewall which just protects ip addresses and ports.

Its likely the guest session simply locks down the vast majority of stuff - probably includes Unity based “allow this” type rules i.e. guest session last worked for Ubuntu Unity before Ubuntu itself switched to GDM.

So for a proper solution we would similarly need to create “allow budgie” type rules for the guest session.