GitLab

The privileges listed in 20-gnome-initial-setup.rules basically make the gnome-initial-setup user equivalent to root. This can reduce a system's defense in depth. A smaller security issue could be exploited to leverage the power of the gnome-initial-setup user. For example:

• Removing existing user accounts or possibly corrupting the user database could cause the privileged gnome-initial-setup mode to be triggered again.
• Renaming a user to one of the names blacklisted by the accountsservice like shutdown also can be used to trigger the privileged gnome-initial-setup mode again.
• An exploit that allows to act as other users, but not as root (uid 0) could leverage gnome-initial-setup to gain full root privileges.
• An unprivileged user may have the possibility to install gnome-initial-setup even if it wasn't present before via mechanisms like PackageKit to use it as an additional attack vector.

Since the privileged gnome-initial-setup mode should only ever be needed once during an operating system's lifecycle it would be a security precaution to permanently disable the privileged mode after one of the following conditions is met:

• The priviliged wizard was successfully finished.
• Any regular successful login in gdm succeeds.

Disabling the extra privileges can be considered different levels:

1. The possibility to trigger the privileged gnome-initial-setup greeter application to be run.
2. The possibility to use the gnome-initial-setup account for running commands.
3. The existence of the 20-gnome-initial-setup.rules file that allows the gnome-initial-setup user to perform privileged actions.

Removing 3) would be easy but could conflict with packaging information. Locking the account 2) could prevent a couple of attack types. Creating some kind of state file that prevents 1) from being triggered would be an approach but will not catch all thinkable attack types.