It depends in large part on the software repositories that are available to your users.

If you allow your users to add their own repositories to /etc/apt/sources.list or /etc/apt/sources.list.d/*, then you’ve given them an unrestricted root account.

If you stick with default Ubuntu repositories with default Ubuntu packages, you’re reasonably safe — at least, I don’t know any packages off the top of my head that install blatantly unsafe setuid programs or blatantly unsafe daemons, and I’d expect the Ubuntu security team to take any such bugs seriously.

Update

Ubuntu provides several different kinds of repositories:

                    Free software    Almost free software    Proprietary software
Ubuntu Supported       main             restricted
Community Supported    universe                                 multiverse
Vendor Supported                                                  partner

Everything in main and restricted is very-well supported and well-vetted by the Ubuntu security team. universe and multiverse aren’t included on the CDs/DVDs, are supported by the Ubuntu security team in a best-effort sort of way (which in my experience has been quite good, but they aren’t about to provide long-term support for any of it).

Everything in partner is passed along straight from software vendors without any oversight efforts by Ubuntu security team (though they make lean heavily on vendors of insecure products). Because the vendors want to stay easily available (and on the whole are honest) they won’t intentionally do something stupid to compromise your system security.

Since it is easy to set up your own repository, it’s important to ensure that untrusted users cannot add their own repositories to apt.