How to Create Restricted Guest Account in Ubuntu 20.04 / 21.10 GDM

July 30, 2021 — Leave a comment

Want to enable Guest account in Ubuntu? Without switching to another display manager, you can add Guest in Gnome login screen for people to use your computer while NOT being able to install/remove app, change system wide settings, and access files outside its own directory.

Guest is available by default in Ubuntu 16.04 Unity desktop. After Ubuntu switched to Gnome Desktop, the feature is removed. For those need Guest account, it’s easy to add it back via following steps.

1. Create Guest Account.

Firstly, open system settings either from top-right system menu, or by searching from Activities overview screen.

Next, navigate to Users in left pane and click “Unlock” button and type your user password to unlock the settings page.

Finally, click on “Add User…” to create a new user:

  • select Standard, so it has no sudo permission, can’t install/remove app, and no access file outside its user home.
  • set username to Guest.
  • And set password for it. REQUIRED though it’s useless. Next step I’ll tell how to enable no password login.

2. Enable No Password Login for Guest

Press Ctrl+Alt+T on keyboard to open terminal, then copy and paste the command below and hit Enter.

sudo gedit /etc/pam.d/gdm-password

This command will open the configuration file. Simply add the following line at the beginning (so it will be the first line) and save it:

auth sufficient pam_succeed_if.so user ingroup guest

OK, in next boot you’ll see the Guest account in GNOME login screen. Simple click to login without typing password, and enjoy!

3.(Optional) Add more Restrictions:

The Guest account can’t install/remove apps, manage PPAs, access files out of its home directory. Any action needs authentication will ask for typing password for Admin Account.

It however has permissions to customize its own desktop appearance, access CD Rom, mount/un-mount USB and other removable devices, use audio/video devices (e.g., webcam, microphone), full and direct access to serial ports.

These permissions are handled via groups. You can check which groups that include Guest account via command:

cat /etc/group |grep guest

And the Debian Wiki tells what do the groups do. By removing Guest from a group will disable the permission. For example, remove it from plugdev group run command:

sudo gpasswd --delete guest plugdev

For even more restrictions, e.g., disable save file, lock down appearance settings, disable printing, etc., go to the Gnome Wiki.

Twitter

I'm a freelance blogger who started using Ubuntu in 2007 and wishes to share my experiences and some useful tips with Ubuntu beginners and lovers. Please notify me if you find any typo/grammar/language mistakes. English is not my native language. Contact me via [email protected]

No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.