Re: GUI on a server?
Webmin.
GitHub security researcher Kevin Backhouse found bugs in Ubuntu 20.04 (a long-term support release) which enabled any desktop user to get root access. The vulnerabilities have now been patched. Backhouse discovered two separate issues, one by accident, which together enable the privilege escalation. He noted that the …
This post has been deleted by its author
Most importantly, it is straightforward to document how an operation is done with text commands: Just show the commands to use. Looking up the commands from the command history, you get a record of what you did, in case you get a "oops, what the h* did I just do" moment.
By contrast, with GUIs the explanation is pages of screenshots interspersed with text like "go to the file menu, pick load, select the secret file, then ..." - I always scream internally when forced to write explanations of that sort to document an operation, or read them.
I should think that in most (or at least many) cases, the only people who have physical access to a company's server desktop GUI would be those with legitimate admin logins. For Ubuntu workstations, as it can only be exploited by people with user logins and physical access to the screen & keyboard (or maybe a GUI remote access session such as "Team Viewer"?), it is perhaps not as serious as it may appear at first read.
Very good catch!
Although Backhouse said that this exploit is particularly easy to execute, he added that he does not want “to give you impression that Ubuntu is full of trivial security bugs; that’s not been my impression so far.”
Systems don't need to be full of security bugs, trivial or otherwise, whenever just a few untouchable, invisible and/or unknown ones can be exploited and executed particularly easily.
But such has been warned about long before now .........
Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones. .... Donald Rumsfeld
"If the miscreant has local access, it's already game over."
Well, unless both bootloader and firmware (including access to Intel's so-called "Management Engine" interface) have been properly locked down and the case has been secured with a padlock, of course.
There's not normally a need for that in the server room (but then, servers should - except in a few and far inbetween special cases - not run a GUI in the first place). However, if the Ubuntu box in question happens to be serving users in a public IT lab - a scenario quite common on university campuses - this bug is indeed an issue.
For example? Ubuntu is a big deal as far as Linux distros go
Also, secondary follow up: what is the metric we should use to gauge "industrial strength"?
Finally: what level of market share is required before we need to invest time finding bugs? If we only need to worry about the big boys, you mean that anything goes until you're, say, 20% of the market?
I'm with you on this. The footprints of freedesktop.org are all over the average Linux distro, and provide little useful functionality for much-expanded attack surface.
And as for the Gnome system watching to see if the Account service is running and then deciding you need a new privileged user, it's not the first approach I'd have thought of. Is there a password file? When was it modified? Does it have a root account enabled? And so on.