Introduce a Mechanism to Disable the Power of the `gnome-initial-setup` user
The privileges listed in 20-gnome-initial-setup.rules
basically make the gnome-initial-setup
user equivalent to root
. This can reduce a system's defense in depth. A smaller security issue could be exploited to leverage the power of the gnome-initial-setup
user. For example:
- Removing existing user accounts or possibly corrupting the user database could cause the privileged gnome-initial-setup mode to be triggered again.
- Renaming a user to one of the names blacklisted by the
accountsservice
likeshutdown
also can be used to trigger the privileged gnome-initial-setup mode again. - An exploit that allows to act as other users, but not as root (uid 0) could leverage
gnome-initial-setup
to gain full root privileges. - An unprivileged user may have the possibility to install
gnome-initial-setup
even if it wasn't present before via mechanisms like PackageKit to use it as an additional attack vector.
Since the privileged gnome-initial-setup
mode should only ever be needed once during an operating system's lifecycle it would be a security precaution to permanently disable the privileged mode after one of the following conditions is met:
- The priviliged wizard was successfully finished.
- Any regular successful login in
gdm
succeeds.
Disabling the extra privileges can be considered different levels:
- The possibility to trigger the privileged
gnome-initial-setup
greeter application to be run. - The possibility to use the
gnome-initial-setup
account for running commands. - The existence of the
20-gnome-initial-setup.rules
file that allows thegnome-initial-setup
user to perform privileged actions.
Removing 3) would be easy but could conflict with packaging information. Locking the account 2) could prevent a couple of attack types. Creating some kind of state file that prevents 1) from being triggered would be an approach but will not catch all thinkable attack types.