No edit summary |
|||
(11 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
This is part of the [[Security Team|Fedora Security Team's]] 90-day challenge. | This is part of the [[Security Team|Fedora Security Team's]] 90-day challenge. | ||
== | == Updates == | ||
Stéphane Graber would prefer to see two improvements happen in tandem ([https://github.com/lxc/lxc/pull/574#issuecomment-113245090 mentioned in this GitHub PR]): | |||
# Remove sshd from each template by default | |||
# Use a shared shell script so that password handling is identical for all containers. | |||
This presents a challenge as some containers have a normal user with sudo privileges (like Ubuntu). | |||
It seems like a shell script could have logic resembling the following: | |||
* Did the user provide a password for root (or the regular user with sudo privileges)? | |||
** If password supplied, use that one for root or the regular user with sudo privileges | |||
** If password not supplied, generate a random password and present that to the user at the end of the build | |||
* Is sshd present in the container's rootfs? | |||
** If yes, remove it | |||
** If no, pass | |||
== Template Status == | |||
The upstream templates are [https://github.com/lxc/lxc/tree/master/templates on Github]. Each template will be documented here as it's reviewed. | The upstream templates are [https://github.com/lxc/lxc/tree/master/templates on Github]. Each template will be documented here as it's reviewed. | ||
Line 10: | Line 25: | ||
{| | {| | ||
! | ! Distribution !! Status !! Default root<br>password? !! User can override<br>the default? !! Notes | ||
|- | |||
| AltLinux || {{warning}} || rooter || No || | |||
|- | |||
| Busybox || {{warning}} || root || No || Passwordless ssh logins allowed | |||
|- | |||
| CentOS || {{check}} || randomized || Yes || | |||
|- | |||
| CirrOS || {{warning}} || cirros/cubswin:)<br>(cirros user has sudo) || No || | |||
|- | |||
| Debian || {{warning}} || root || No || | |||
|- | |||
| Fedora || {{check}} || randomized || Yes || | |||
|- | |||
| Gentoo || {{warning}} || toor || Yes || | |||
|- | |- | ||
| | | OpenMandriva || {{warning}} || root || No || | ||
|- | |- | ||
| | | Oracle EL || {{warning}} || root || No || oracle/oracle exists as well | ||
|- | |- | ||
| | | Plamo || {{warning}} || root || No || | ||
|- | |- | ||
| Ubuntu || | | Ubuntu || {{warning}} || ubuntu/ubuntu<br>(has sudo) || Yes || User can set password for ubuntu user during build | ||
|- | |||
| Ubuntu Cloud || {{check}} || (see notes) || Yes || root account is locked unless user passes cloud-init data to configure the account | |||
|} | |} | ||
== Details == | |||
=== Alpine === | |||
The template can't download an APK that passes verification. It also doesn't seem to set a root password anywhere during the container creation. | |||
=== AltLinux === | |||
The password for root is set to <code>rooter</code> for all builds. | |||
=== ArchLinux === | |||
The user can specify a root password but root's account is left without a password if a password isn't provided. | |||
=== Busybox === | |||
Password for root is set to 'root' by default. Default ssh configuration allows root logins without a password as well. | |||
=== CentOS === | === CentOS === | ||
No changes needed as randomized root passwords are already applied during build. | No changes needed as randomized root passwords are already applied during build. | ||
=== Cirros === | |||
The password for root isn't set, but a user called cirros has the password <code>cubswin:)</code>. | |||
=== Debian === | === Debian === | ||
Line 29: | Line 77: | ||
=== Fedora === | === Fedora === | ||
No changes needed as randomized root passwords are already applied during build. | No changes needed as randomized root passwords are already applied during build. | ||
=== Gentoo === | |||
If a root password isn't specified, the root password is set to <code>toor</code>. | |||
=== OpenMandriva === | |||
The root password is set to <code>root</code> by default. | |||
=== OpenSuse === | |||
The root password is set to <code>root</code> by default. | |||
=== Oracle === | |||
The root password is set to <code>root</code> by default. The oracle user has the password <code>oracle</code>. | |||
=== Plamo === | |||
The root password is set to <code>root</code> by default. | |||
=== Ubuntu === | === Ubuntu === | ||
The | The Ubuntu template disables the root account but makes a regular user with sudo privileges that has <code>ubuntu</code> as a username and password (unless a user password is specified on the command line during build). | ||
A [https://github.com/major/lxc/commit/26f3a4ab2513546ad06ca3121858d7c68edd5177 fix has been proposed]. | |||
The Ubuntu Cloud template allows a user to specify cloud-init data to configure the container once it's booted. If the user doesn't specify any data, the root account is locked. | |||
[[Category:Security]] | [[Category:Security]] |
Latest revision as of 19:20, 18 June 2015
Mission
This project's mission is to eliminate the use of predictable passwords in LXC templates. It all started with BZ 1132001 which attached bug reports to fedora-all, EPEL 7, and EPEL 6. The problem exists upstream and the upstream developers are welcoming fixes.
This is part of the Fedora Security Team's 90-day challenge.
Updates
Stéphane Graber would prefer to see two improvements happen in tandem (mentioned in this GitHub PR):
- Remove sshd from each template by default
- Use a shared shell script so that password handling is identical for all containers.
This presents a challenge as some containers have a normal user with sudo privileges (like Ubuntu).
It seems like a shell script could have logic resembling the following:
- Did the user provide a password for root (or the regular user with sudo privileges)?
- If password supplied, use that one for root or the regular user with sudo privileges
- If password not supplied, generate a random password and present that to the user at the end of the build
- Is sshd present in the container's rootfs?
- If yes, remove it
- If no, pass
Template Status
The upstream templates are on Github. Each template will be documented here as it's reviewed.
Details
Alpine
The template can't download an APK that passes verification. It also doesn't seem to set a root password anywhere during the container creation.
AltLinux
The password for root is set to rooter
for all builds.
ArchLinux
The user can specify a root password but root's account is left without a password if a password isn't provided.
Busybox
Password for root is set to 'root' by default. Default ssh configuration allows root logins without a password as well.
CentOS
No changes needed as randomized root passwords are already applied during build.
Cirros
The password for root isn't set, but a user called cirros has the password cubswin:)
.
Debian
The upstream Debian template current sets root's password to root
. There's a proposed fix waiting on feedback from Debian's LXC package maintainer.
Fedora
No changes needed as randomized root passwords are already applied during build.
Gentoo
If a root password isn't specified, the root password is set to toor
.
OpenMandriva
The root password is set to root
by default.
OpenSuse
The root password is set to root
by default.
Oracle
The root password is set to root
by default. The oracle user has the password oracle
.
Plamo
The root password is set to root
by default.
Ubuntu
The Ubuntu template disables the root account but makes a regular user with sudo privileges that has ubuntu
as a username and password (unless a user password is specified on the command line during build).
The Ubuntu Cloud template allows a user to specify cloud-init data to configure the container once it's booted. If the user doesn't specify any data, the root account is locked.