Ubuntu 20.04 is an incredibly popular operating system, perhaps the most popular among the Linux distributions due to its ease-of-use. In general, it’s a fairly trustworthy operating system too, especially since its source code is open. However, an update with the 20.04 revision has led to security researcher [Kevin Backhouse] finding a surprisingly easy way to escalate privileges on this OS, which we would like to note is not great.
The exploit involves two bugs, one in accountservice
daemon which handles user accounts on the computer, and another in the GNOME Display Manager which handles the login screen. Ubuntu 20.04 added some code to the daemon which looks at a specific file on the computer, and with a simple symlink, it can be tricked into reading a different file which locks the process into an infinite loop. The daemon also drops its privileges at one point in this process, a normal security precaution, but this allows the user to crash the daemon.
The second bug for this exploit involves how the GNOME Display Manager (gdm3) handles privileges. Normally it would not have administrator privileges, but if the accountservice
daemon isn’t running it escalates itself to administrator, where any changes made have administrator privileges. This provides an attacker with an opportunity to create a new user account with administrator privileges.
Of course, this being Ubuntu, we can assume that this vulnerability will be immediately patched. It’s also a good time to point out that the reason that open-source software is inherently more secure is that when anyone can see the source code, anyone can find and report issues like this which allow the software maintainer (or even the user themselves) to make effective changes more quickly.
Ubuntu is the Windows of the Linux world. Unattended updates that happen in the background and services that send data to Amazon. No thanks.
++
> November 11, 2020 at 12:27 pm
@HAD: Come on! Think global — use UTC!
I believe the server uses UTC, and tries to convert to your time zone on-the-fly.
Nope!
My systems (except the phomes) run completely on UTC.
@zombie: You are not a zombie, you are a freak! :-)
When I look on the clock dislay of my computer, I want to read local time (like my phone and my watch) and also when I look at file dates/times.
Don’t knock it though, because it does lean that way its really approachable for those just getting into decent OS’s and convenient for the rest of us as it tends to just work in a way other distros make you work at some. Its also being a linux configurable in a way the closed source crap can’t be.
I use all sorts but frequently do end up with at least one machine running ubuntu, its hard to argue with throw in a bootable installer and have it just work most of the time.
Not everyone wants a hackers OS, some people just want things simple and let the computer take care of the hard stuff. Why do you think iOS is such a popular Linux flavour?
Yep. I am to the point in my life where I want my Workstation/Servers/Laptops OS ‘simple’. I used to use Slack, then RedHat and Fedora Core and finally Fedora, even tried Arch and a few others. But got tired of upgrading every 6 months or so on multiple computers… Mint LTS came along and it was great. But when I jumped on AMD Ryzen early, and Mint didn’t support the platform initially… So installed LUbuntu which did. Out of the box it includes all the applications one normally would use and has on tap just about any package you can think of to download. I can see why people like to use Ubuntu (or one the spins like LUbuntu, KUbuntu). I am now on the 20.04 LTS for the next few years.
iOS is not a Linux flavor, it’s a BSD flavor.
Don’t reply! It’s a Troll!
I think they are done with the Amazon thing…I think it’s still the best OS to get into Linux due to support it gets
I’ve never seen mine do ‘unattended’ updates. I use ‘apt’ to manual update at my convenience. As for services that send data to Amazon…. I wasn’t aware of that. Need to research. All my laptops, desktops, and home server run KUbuntu 20.04 LTS. What’s this Windoze thing that people talk about? :) Kidding.
Quick search says that Ubuntu has dropped the Amazon Web Launcher in 20.04 due to push back by users. A good thing. Personally I don’t ever remember seeing the launcher… Then again I don’t install Gnome (don’t like it) so that may be the reason why.
It was only a ‘lens’ in Unity.
Not quite true. Easy to turn off after install. And does not come back on unlike windows. I run pop_os and their tweaks makes ubuntu extremely nice to use.
Ah, breaking the login process makes the login manager think there are no user accounts on the system, triggering the first-boot setup. In retrospect, that’s a rather weak link in itself.
Not very concerning – getting to the part where you make a new admin account requires physical access. But if you have physical access, you can reboot into single-user mode anyway.
Definitely should be fixed, but nothing I’m losing sleep over.
Does this apply to UbuntuStudio? It uses the XFCE graphic desktop, not gnome. I accidentally downloaded Ubuntu-not-studio 20.04, and couldn’t figure things out and wouldn’t recommend it. UbuntuStudio is a great big package all ready to do music and sound, video and more.
“the reason that open-source software is inherently more secure…..”
I’ve seen this argument a lot but I’ve also seen countless examples of it being shown as half true. SSH had a vulnerability for what 10 years that the 3 letter agency was leveraging but no one in the open source world found it. Why? Of the millions of open source users how many do we honestly believe are performing routine security audits of every single patch pused into the code of every single open source project they use?
I recall seeing a lot of papers discussing how if you wanted to exploit peoples systems open source assets may be the easiest target, contribute to the project a hand full of times and people likely will stop intently scrutinizing your work so you can intentionally inject security issues. This isn’t the fault of open source it’s just human nature.
I’m not trying to argue that closed source is inherently better but let’s just call it what it is. A different problem space.
anon, you’re neglecting the crux of “open-source software is inherently more secure”: the word “more”. You can’t evaluate the truth of this claim by looking at the numerous severe security problems that plague open source software. In order to evaluate this claim you have to also examine closed-source software.
Ubuntu isn’t bad once you tear out snapd and run something other than unity as a window manager. I use it on laptops since it seems to have the least trouble with hardware support and UEFI.
If you’re truly concerned about security, run OpenBSD.
Doesn’t surprise me. Ubuntu is the Windows of the Linux world. I honestly don’t count their userbase as Linux users.
Ubuntu is like the current consumer version of Windows while the current server version of Windows would be more akin to RedHat.
What makes a Linux user if not using Linux? Even Android users use the Linux kernel…
A user is a user not a system admin and an operating system is only a commodity. So yes Ubuntu users are Linux users whatever their qualification level as system admin.
Sorry, accidentally reported. Touchscreens suck.
> “Of course, this being Ubuntu, we can assume that this vulnerability will be immediately patched.”
What?