-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default installation allows user to su to root without password after installing shadow-package #430
Comments
I can confirm the issue. |
ncopa
added a commit
to ncopa/official-images
that referenced
this issue
Mar 6, 2019
Builds are now only generated from upstream minirootfs taballs. The release and update scripts have been refactored and moved to https://githib.com/alpinelinux/docker-alpine This commit also include update of all supported images: - edge (20190228 snapshot) - v3.9.2 - v3.8.4 - v3.7.3 - v3.6.5 This commit also introduces v3.9 armv7 image and remove unsupported branches v3.5 and older. fixes at least the following issues: - gliderlabs/docker-alpine#495 - gliderlabs/docker-alpine#471 - gliderlabs/docker-alpine#463 - gliderlabs/docker-alpine#460 - gliderlabs/docker-alpine#455 - gliderlabs/docker-alpine#430 (security) - gliderlabs/docker-alpine#375
ncopa
added a commit
to ncopa/official-images
that referenced
this issue
Mar 6, 2019
Builds are now only generated from upstream minirootfs taballs. The release and update scripts have been refactored and moved to https://github.com/alpinelinux/docker-alpine This commit also include update of all supported images: - edge (20190228 snapshot) - v3.9.2 - v3.8.4 - v3.7.3 - v3.6.5 This commit also introduces v3.9 armv7 image and remove unsupported branches v3.5 and older. fixes at least the following issues: - gliderlabs/docker-alpine#495 - gliderlabs/docker-alpine#471 - gliderlabs/docker-alpine#463 - gliderlabs/docker-alpine#460 - gliderlabs/docker-alpine#455 - gliderlabs/docker-alpine#430 (security) - gliderlabs/docker-alpine#375
ncopa
added a commit
to ncopa/official-images
that referenced
this issue
Mar 6, 2019
Builds are now only generated from upstream minirootfs taballs. The release and update scripts have been refactored and moved to https://github.com/alpinelinux/docker-alpine This commit also include update of all supported images: - edge (20190228 snapshot) - v3.9.2 - v3.8.4 - v3.7.3 - v3.6.5 This commit also introduces v3.9 armv7 image and remove unsupported branches v3.5 and older. fixes at least the following issues: - gliderlabs/docker-alpine#495 - gliderlabs/docker-alpine#471 - gliderlabs/docker-alpine#463 - gliderlabs/docker-alpine#460 - gliderlabs/docker-alpine#455 - gliderlabs/docker-alpine#430 (security) - gliderlabs/docker-alpine#375
ncopa
added a commit
to ncopa/official-images
that referenced
this issue
Mar 7, 2019
Builds are now only generated from upstream minirootfs taballs. The release and update scripts have been refactored and moved to https://github.com/alpinelinux/docker-alpine This commit also include update of all supported images: - edge (20190228 snapshot) - v3.9.2 - v3.8.4 - v3.7.3 - v3.6.5 This commit also introduces v3.9 armv7 image and remove unsupported branches v3.5 and older. fixes at least the following issues: - gliderlabs/docker-alpine#495 - gliderlabs/docker-alpine#471 - gliderlabs/docker-alpine#463 - gliderlabs/docker-alpine#460 - gliderlabs/docker-alpine#455 - gliderlabs/docker-alpine#430 (security) - gliderlabs/docker-alpine#375
This has been fixed with: docker-library/official-images#5516 Thanks! |
For the record, the upstream commit fixing the issue is: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
This is basically the same problem as with #101, but this time it requires the installation of the shadow-package.
It seems that by default
/bin/su
is a link to busybox which does not have the SUID bit set so the empty root password is not an issue. However, the situation silently changes if the user installs the shadow-package for user account management. This was a major suprise to me when I noticed it and, IMHO, the correct way to fix this for good is to just disable the root password with '*'.To demonstrate, here's how it happens:
It may as well be
linux-pam
that does it but that's beside the point. Let me know if you need more information.The text was updated successfully, but these errors were encountered: