Ubuntu – How to grant guest accounts read (or read-write) permission on a folder outside their home

apparmorguest-sessionmountpermissions

I have stuff stored in an external partition (ext4) that is mounted through /etc/fstab to the location /vms. Inside that directory, I have a folder shared which should be accessible (currently read-only, later maybe read-write) by all local users, including guest sessions.

However, chmod -R a+r /vms/shared makes the files world-readable to all standard users, but not for guest sessions, which AFAIK have another layer of restrictions through AppArmor or something like that which denies access to everything outside their home.

I already have a separate account guest-config which serves as default profile for new guest sessions (/etc/guest-session/skel is a symlink to /home/guest-config) to be able to tweak guest profile settings, just in case this will help.

How can I unlock this specific directory (and all its files and subdirectories) to grant guest accounts read-only or read-write access? Using Ubuntu 16.04 btw.

Best Answer

(Copied from my answer here, since I saw that first, and it doesn't seem right to mark this as a duplicate of a question asked later.)

Guest sessions are locked down using AppArmor, which uses a long list of special permissions to keep guest users from touching anything. These are accessed from etc/apparmor.d/lightdm-guest-session.

On my machine, that file looks like this:

# Profile for restricting lightdm guest session

#include <tunables/global>

/usr/lib/lightdm/lightdm-guest-session {
  # Most applications are confined via the main abstraction
  #include <abstractions/lightdm>

  # chromium-browser needs special confinement due to its sandboxing
  #include <abstractions/lightdm_chromium-browser>
}

Opening up that "main abstraction" (etc/apparmor.d/abstractions/lightdm) gives something more interesting:

...
/ r,
/bin/ rmix,
/bin/fusermount Px,
/bin/** rmix,
/cdrom/ rmix,
/cdrom/** rmix,
/dev/ r,
/dev/** rmw, # audio devices etc.
owner /dev/shm/** rmw,
/etc/ r,
/etc/** rmk,
...

These are all the directories which a restricted session can access, along with their permissions. If you add your partition and shared folder to that list (with a trailing /** to include all subdirectories, and an r for read permission), all future guest sessions will have read-only access to it.

For read-write permissions, use rw; this is the default permission for /var/guest-data. For full permissions, use rwlkmix; this is the default permission for guest-owned drives in /media. These stand for Read, Write, Link, locK, Memory-map, and Inherit-eXecute: the last one gives execution privileges, but specifies that execution must happen within the current confinement (so you can't break out of the guest restrictions by running a specially-crafted shell script).

Related Question