Vagrant images: regular user accounts can gain administrative privileges #76

Closed
lpancescu opened this Issue Oct 10, 2016 · 0 comments

Projects

None yet

1 participant

@lpancescu
Contributor

Since the password to the root and vagrant accounts is publicly known, regular user accounts are able to gain administrative privileges by issuing either su - or su - vagrant (the vagrant user has full sudo rights, without requiring a password).

This might surprise beginners creating additional user accounts with useradd; we should probably change our default configuration not to allow that.

@lpancescu lpancescu added a commit to lpancescu/sig-cloud-instance-build that referenced this issue Oct 12, 2016
@lpancescu lpancescu Fix issue #76: regular users can use su to gain admin privs
Allow root and vagrant to use su without limitations, but prevent others
from using su to become root or vagrant (both accounts have a
publicly-known password)
507b443
@lpancescu lpancescu closed this Oct 27, 2016
@cognifloyd cognifloyd added a commit to cognifloyd/ansible-role-vagrant-user that referenced this issue Jan 17, 2017
@cognifloyd cognifloyd Fix for sig-cloud-instance-build#76
Adapt fix to:
"allow vagrant to use su, but prevent others from becoming root or
vagrant"
From (thanks to @lpancescu):
CentOS/sig-cloud-instance-build#76
CentOS/sig-cloud-instance-build#77
CentOS/sig-cloud-instance-build@507b443
e3abea8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment