Beware automating account creation

The following incident was published today,

Described a vulnerability discovered on Ubuntu (AFAIK does not exist on openSUSE but should be verified) that happened because Ubuntu implemented a commonly used service for managing accounts called AccountsService which when abused triggered the Gnome Desktop to activate the flow creating the first account on startup. A hacker could trivially cause this to happen and create his own special User account with elevated permissions.

Of course, each of these services weren’t intended to be misused separately but IMO each did not fully appreciate the effect of each to be misused so didn’t properly restrict what could invoke the service.

Furthermore, I don’t use or study what happens under the hood on Ubuntu so don’t know the reasons for Ubuntu and Gnome to use these services but I really wonder what the reasoning is for the Gnome functionality… Although I can appreciate the value of reusable code, what is the reason for creating the first account on a system to be active after first installation? I would think that even if some extremely odd and unlikely event to happen that would wipe every user account from the system (except possibly root) that time honored commands and procedures would be sufficient to recover, or a system rebuild should be forced.

Although I might write off the Ubuntu bug and exploit as a mistake to be fixed for a service that is essential to how Ubuntu might work,
I really question the value of the Gnome Desktop bug and vulnerability and wonder if that should be either deleted entirely after installation (does it have any value after installation?) or disabled in a way that it would be very difficult to invoke and only under very, very special circumstances.

In any case,
Even if it was found only on Ubuntu, this probably warrants at least a look by all other distros to make sure it isn’t a latent problem elsewhere and whenever Gnome Desktop is installed.


Seems there was a mitigation performed last year…