[Security Risk] Home Assistant Container LXC installs unsecured portainer instance on network w/no warning(s)

[numericOverflow]

✅ Have you read and understood the above guidelines?

Yes

📜 What is the name of the script you are using?

Home Assistant (LXC)

📂 What was the exact command used to execute the script?

bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/homeassistant.sh)"

📝 Provide a clear and concise description of the issue.

Installing Home Assistant LXC also installs a Portainer instance in that LXC which has no default user/pass configured. The first person to access the instance Portainer webgui can pwn that install as they get to set the admin credentials.

IMO, this seems like a big security risk to leave an open portatiner install on the network . There's no warning(s) to user that portainer now exists and needs to be secured by finishing the portainer setup.

I only happened to find it b/c I copied the wrong URL while trying to open HomeAssistant for the first time.

⚙️ What settings are you using?

• Default Settings
• Advanced Settings

🖥️ Which Linux distribution are you using?

Debian 12

🔄 Steps to reproduce the issue.

Run the HA (LXC) install command.
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/homeassistant.sh)"

everything from there is automatic.

Visit the HA url shown after install script completes.

Set admin user/pass on that portainer instance.

❌ Paste the full error output (if available).

Not an error, script installed successfully. This is a security risk

To mitigate, I'd suggest any of the following

1. Do not install portainer.
2. Not allow portainer to be access outside the LXC (if possible)
3. Finish the portainer setup and secure it with a proper uers/pass either from user prompt or random generated at install time if user never needs to manage/maintain portainer.

🖼️ Additional context (optional).

[MickLesk]

It is impossible to automate this. Portainer Setup only with UI. Basically, this should probably be in the portainer repo, as we have no control over the tool.

If it were, the most we ist to add a note on Website. But surely everyone who installs portainer should also know that it needs to be set up?

[tremor021]

Also how the hell someone can "pwn" this? You're the one installing it...

[numericOverflow]

It is impossible to automate this. Portainer Setup only with UI. Basically, this should probably be in the portainer repo, as we have no control over the tool.

If it were, the most we ist to add a note on Website. But surely everyone who installs portainer should also know that it needs to be set up?

@MickLesk - True, if I set out to install Portainer, I would absolutely know to go secure it. I wasn't expecting portainer to be installed so that's the issue, IMO.

I guess the unexpected nesting of LXC->Portainer->Docker container is really what I see as the problem. I get it, HA is distributed as a docker image which necessitates portainer, but at least tell the users they are responsible to go secure the newly installed dependency.

There's often tons of dependencies installed when a app or container is setup, but I think the general expectation is that you should only need to configure the main application you're installing (in this case Home Assistant) and not necessarily go secure each & every dependency (Portainer) unless explicitly told you must do so.

A note on the website as well as notice when the install script completes would be a decent start as there's nothing suggesting that portainer is installed unless you closely watch the actual install steps.

• Maybe a solution would be to add a firewall rule during install to block any access to port 9443 of the nested portainer instance so it can't be configured/accessed by anyone outside the LXC?

Also how the hell someone can "pwn" this? You're the one installing it...

@tremor021 - If someone finds the unconfigured portainer UI, they can do anything they want to the HA setup where there is a TON of sensitive info within HA. They just complete the portainer setup with any user/pass they want and bingo. This feels pretty "pwn" to me...

[numericOverflow]

BTW - don't me wrong, these scripts are great and I absolutely love the work. I'm just reporting what I see as a security hole with the hope to make it better in the end :)

[tremor021]

@numericOverflow thats not how it works. Portainer has 5 minute timeout for you to enter new user. If you fail, it shuts down the container

[numericOverflow]

Right, but it

@numericOverflow thats not how it works. Portainer has 5 minute timeout for you to enter new user. If you fail, it shuts down the container

Right, but from my testing, that configuration timeout window reopens every time I restart the container.

[tremor021]

@numericOverflow Correct. After you restart Portainer, you get a chance to enter user/pass again for 5 minutes. If the guy attacking you has power to start a container on your host, then i'm afraid you have bigger problems than Portainer.

[Mati-l33t]

Are you not already pwned if someone have access to your LAN?

[numericOverflow]

OK, let me frame this another way:

• Why is portainer bundled with HomeAssistant by default,? Shouldn't docker alone be enough to run HA and portainer is just an optional add-on?

Wouldn't it be better if we just ask the user if they actually want portainer, and only install it if they say yes?

That's looks like the strategy the docker LXC install script takes

[MickLesk]

We do not change the logic of stock scripts to this extent. Portainer is fixed there, therefore no optional question necessary / useful.

As already explained, Portainer loses the option to store a user password there after 5 minutes, until the next restart.

I have added the information on the website accordingly. But in the end, if someone is in your network within 5 minutes, they certainly have better things to do than bashing Portainer with HomeAssistant :-D