It's already known that the guest account can't use su or sudo:
How is this done?
My guess would be apparmor. However, there's no mention of either in /etc/apparmor.d/lightdm-guest-session (or other files included in it).
Is it done by denying some capability?
$ grep cap /etc/apparmor.d/abstractions/lightdm
capability ipc_lock,
deny capability dac_override,
deny capability dac_read_search,
dac_override seems to be a good candidate. According to man capabilities:
CAP_DAC_OVERRIDE
Bypass file read, write, and execute permission checks. (DAC is
an abbreviation of "discretionary access control".)
CAP_DAC_READ_SEARCH
* Bypass file read permission checks and directory read and
execute permission checks;
* Invoke open_by_handle_at(2).
Is this it, or is it some other capability? Or is it not apparmor at all?
Apparently, it's the setgid capability. From syslog for a su attempt:
Mar 18 12:14:52 muru-wily kernel: [ 5285.025017] audit: type=1400 audit(1458283492.316:159): apparmor="DENIED" operation="capable" profile="/usr/lib/lightdm/lightdm-guest-session" pid=25687 comm="su" capability=6 capname="setgid"
However:
$ sudo grep setgid /etc/apparmor* -R
/etc/apparmor.d/disable/usr.sbin.rsyslogd: capability setgid,
/etc/apparmor.d/usr.sbin.tcpdump: capability setgid,
/etc/apparmor.d/cache/.features:caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
/etc/apparmor.d/usr.sbin.cupsd: capability setgid,
/etc/apparmor.d/usr.sbin.cupsd: capability setgid,
/etc/apparmor.d/usr.sbin.rsyslogd: capability setgid,
/etc/apparmor.d/abstractions/lightdm_chromium-browser: capability setgid, # for sandbox to drop privileges
/etc/apparmor.d/abstractions/dovecot-common: capability setgid,
/etc/apparmor.d/abstractions/postfix-common: capability setgid,
Aside from the .cache folder, nothing seems to be restricting setgid. However, man apparmor.d says:
Capabilities
The only capabilities a confined process may use may be enumerated;
If I understand correctly, then if any capabilities are listed, then only those can be used - all others are restricted. Does the capability ipc_lock line automatically restrict all other unmentioned capabilities? If so, why deny capability dac_override and deny capability dac_read_search?
From doing a quick search, I think the answer is that Ubuntu does not actually have a guest account, it uses a "guest session". Guest sessions cannot make any real changes to a system, so if you log on and try to save a file to the sessions home directory, when you log out, those files are removed.
You can almost think of a guest session as a live USB/CD session.
Most of my searches on guest session only give me options to remove it, I did find one that talked about creating a guest user, and that is different from the guest session.