I have stuff stored in an external partition (ext4) that is mounted through /etc/fstab
to the location /vms
. Inside that directory, I have a folder shared
which should be accessible (currently read-only, later maybe read-write) by all local users, including guest sessions.
However, chmod -R a+r /vms/shared
makes the files world-readable to all standard users, but not for guest sessions, which AFAIK have another layer of restrictions through AppArmor or something like that which denies access to everything outside their home.
I already have a separate account guest-config
which serves as default profile for new guest sessions (/etc/guest-session/skel
is a symlink to /home/guest-config
) to be able to tweak guest profile settings, just in case this will help.
How can I unlock this specific directory (and all its files and subdirectories) to grant guest accounts read-only or read-write access? Using Ubuntu 16.04 btw.
Best Answer
(Copied from my answer here, since I saw that first, and it doesn't seem right to mark this as a duplicate of a question asked later.)
Guest sessions are locked down using AppArmor, which uses a long list of special permissions to keep guest users from touching anything. These are accessed from
etc/apparmor.d/lightdm-guest-session
.On my machine, that file looks like this:
Opening up that "main abstraction" (
etc/apparmor.d/abstractions/lightdm
) gives something more interesting:These are all the directories which a restricted session can access, along with their permissions. If you add your partition and shared folder to that list (with a trailing
/**
to include all subdirectories, and anr
for read permission), all future guest sessions will have read-only access to it.For read-write permissions, use
rw
; this is the default permission for/var/guest-data
. For full permissions, userwlkmix
; this is the default permission for guest-owned drives in/media
. These stand for Read, Write, Link, locK, Memory-map, and Inherit-eXecute: the last one gives execution privileges, but specifies that execution must happen within the current confinement (so you can't break out of the guest restrictions by running a specially-crafted shell script).