How to get root on Ubuntu 20.04 by pretending nobody’s /home

https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE

  • Cool story! I’m especially happy with the choice to move to Debian now. 😅
  • accountsservice lowers it’s privilege level (what is this actually called at the kernel level?) to read the .pam_environment file.
  • This file was added in a Ubuntu-specific patch to accountsservice, and symlinking it to /dev/zero causes accountsservice to hang.
  • The lower privilege level then lets you crash accountsservice by signalling to it.
  • If you do this when logged out, gdm thinks no users exist on the system (user count defaults to zero) and lets you create a new (root) user.
Edit