Create guest account in Gnome 3.X on Arch Linux

gnome3 accounts guest-account

6,022

Solution 1

It turns out it's quite simple with GDM. I assume you're using GDM since you're also using Gnome. First, create the guest user account with a blank password:

sudo useradd -d /tmp/guest -p $(openssl passwd "") guest

The openssl passwd "" will return the hash of the empty string, thereby setting the password to blank.

Now, all you need are these two scripts:

/etc/gdm/PostLogin/Default

This is executed after you log in and will create the /tmp/$guestuser (/tmp/guest by default) directory and copy the default files from /etc/skel to it. To change the default username for the guest user, set guestuser to something else at the beginning.

 <!-- language: lang-bash -->

    #!/bin/sh

    guestuser="guest"

    ## Set up guest user session
    if [ "$USER" = "$guestuser" ]; then
        mkdir /tmp/"$guestuser"
        cp /etc/skel/.* /tmp/"$guestuser"
        chown -R "$guestuser":"$guestuser" /tmp/"$guestuser"
    fi
    exit 0

/etc/gdm/PostSession/Default

This is executed after you log out and will remove the /etc/$guestuser directory and all its contents. Make sure to set guestuser to the same value in both scripts.

 <!-- language: lang-bash -->

    #!/bin/sh

    guestuser="guest"

    ## Clear up the guest user session
    if [ "$USER" = "$guestuser" ]; then
        rm -rf /tmp/"$guestuser"
    fi

    exit 0

Finally, make the two scripts executable:

sudo chmod 755 /etc/gdm/PostLogin/Default  /etc/gdm/PostSession/Default

Now, just log out and you will see your new guest user. You can log in by selecting it and hitting Enter when prompted for a password. The guest user won't be able to use sudo since that is the default for all users anyway. Only users explicitly mentioned in /etc/sudoers or those who are members of groups explicitly mentioned in sudoers (such as wheel or sudo, depending on your distribution) can use sudo.

If you are using a recent version of GDM, it may disable the login button while the password box is empty. To work around this you can tell GDM not to prompt for the password for specific groups. The caveat is that this will also bypass the session selection menu for members of that group. If you want to do this you should add this line at the beginning of /etc/pam.d/gdm-password:

auth sufficient pam_succeed_if.so user ingroup guest

Solution 2

You could make use of logoff scripts. There you can delete the home folder for your guest account and create a new one on logout. If necessary, you could make it sudoable by the guest account via visudo. Add yourguestacc ALL=(root) NOPASSWD: /path/to/script/recreating/the/home/folder. See the arch wiki for further information.

6,022

Edward Torvalds

Updated on September 18, 2022

Comments

Edward Torvalds over 1 year
I want a guest account just like in Ubuntu which has following features:
1. It does not require password to login
2. A new home folder (in /tmp if possible) is created with no data every time
3. User data is deleted as soon as he/she logs out
4. User can not use sudo
I am running Gnome 3.20 on Arch Linux

NOTE: please don't close my question as duplicate of Create guest account with restricted access to applications because that question does not have answers to my 2nd and 3rd point
- Admin about 8 years
  
  I have no idea how Ubuntu does it. If you need "exactly like Ubuntu", you'll have to edit your question and explain what that means. However, the links provided in the linked answer give the ways you can limit a user's authority and are almost certainly how Ubuntu has implemented whatever they've implemented behind the scenes. Try it.
Edward Torvalds about 8 years

why do you have to chmod those files? there is no need of that, because those scripts are run by root
terdon about 8 years

@edwardtorvalds so? What difference does that make? Root can't execute non-executable files. And yes, you do need it because I tried it without making them executable and it failed. It would appear the scripts are being run directly (/path/to/script) and not as arguments to sh. Which makes sense since the examples provided included a shebang line.
Edward Torvalds about 8 years

On Login screen, your solution requires to press enter without entering anything which worked in 3.16. In newer gnome (probably from 3.18) you cannot press enter without entering anything. so work around is to keep hashed password section in /etc/shadow empty.
Edward Torvalds almost 8 years

since /tmp/guest/ folder does not exists on startup, shadow service of systemd is failing every time
MattSturgeon about 7 years

I added a paragraph on using PAM to bypass the gdm password prompt
terdon about 7 years

@MattSturgeon thanks. I assume you've tested that, right?
MattSturgeon about 7 years

@terdon works fine on my arch machine. It was actually required since gdm now won't attempt to login until you have entered a password. May be worth double checking that useradd always creates a default group (on all unix distros), since the PAM line uses groups.
terdon about 7 years

@MattSturgeon yeah, it seems perfectly reasonable, I just asked because since I haven't tested it, I couldn't know whether it works. Great edit, thanks!
terdon almost 7 years

@G-Man yes, good point. It will probably break if two guest accounts log in at the same time.
tjespe over 6 years

This only worked for me after I replaced #!/bin/sh with #!/bin/bash because the if statement was failing with sh for some reason. Took me 15 minutes of testing and debugging.
43Tesseracts almost 4 years

I had to replace the if statement on PostSession script, not sure why, maybe it runs as gdm user and not guest? So just tries to delete the guest drive when anyone logs out now, but it works!
terdon almost 4 years

@43Tesseracts sorry, my bad. The if [[ is a bash thing, so it works if your /bin/sh is pointing to bash, but not if it is pointing to some other shell (e.g. dash as is the case on Debian and Ubuntu). The updated answer should work for all of them.