Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default installation allows user to su to root without password after installing shadow-package #430

Closed
kalaksi opened this issue Aug 5, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@kalaksi
Copy link

commented Aug 5, 2018

Hi,

This is basically the same problem as with #101, but this time it requires the installation of the shadow-package.
It seems that by default /bin/su is a link to busybox which does not have the SUID bit set so the empty root password is not an issue. However, the situation silently changes if the user installs the shadow-package for user account management. This was a major suprise to me when I noticed it and, IMHO, the correct way to fix this for good is to just disable the root password with '*'.

To demonstrate, here's how it happens:

$ docker run -it alpine:3.8 sh
/ # ls -l /bin/su
lrwxrwxrwx    1 root     root            12 Jul  5 14:47 /bin/su -> /bin/busybox
/ # ls -l /bin/busybox
-rwxr-xr-x    1 root     root        796312 May 30 10:46 /bin/busybox
/ # apk --no-cache add shadow
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
(1/2) Installing linux-pam (1.3.0-r0)
(2/2) Installing shadow (4.5-r0)
Executing busybox-1.28.4-r0.trigger
OK: 7 MiB in 15 packages
/ # ls -l /bin/su
-rwsr-xr-x    1 root     root         36560 May 19 11:19 /bin/su

It may as well be linux-pam that does it but that's beside the point. Let me know if you need more information.

@dbjpanda

This comment has been minimized.

Copy link

commented Nov 14, 2018

I can confirm the issue.

ncopa added a commit to ncopa/official-images that referenced this issue Mar 6, 2019

alpine: builds from new upstream
Builds are now only generated from upstream minirootfs taballs. The
release and update scripts have been refactored and moved to
https://githib.com/alpinelinux/docker-alpine

This commit also include update of all supported images:
- edge (20190228 snapshot)
- v3.9.2
- v3.8.4
- v3.7.3
- v3.6.5

This commit also introduces v3.9 armv7 image and remove unsupported
branches v3.5 and older.

fixes at least the following issues:
- gliderlabs/docker-alpine#495
- gliderlabs/docker-alpine#471
- gliderlabs/docker-alpine#463
- gliderlabs/docker-alpine#460
- gliderlabs/docker-alpine#455
- gliderlabs/docker-alpine#430 (security)
- gliderlabs/docker-alpine#375

ncopa added a commit to ncopa/official-images that referenced this issue Mar 6, 2019

alpine: builds from new upstream
Builds are now only generated from upstream minirootfs taballs. The
release and update scripts have been refactored and moved to
https://github.com/alpinelinux/docker-alpine

This commit also include update of all supported images:
- edge (20190228 snapshot)
- v3.9.2
- v3.8.4
- v3.7.3
- v3.6.5

This commit also introduces v3.9 armv7 image and remove unsupported
branches v3.5 and older.

fixes at least the following issues:
- gliderlabs/docker-alpine#495
- gliderlabs/docker-alpine#471
- gliderlabs/docker-alpine#463
- gliderlabs/docker-alpine#460
- gliderlabs/docker-alpine#455
- gliderlabs/docker-alpine#430 (security)
- gliderlabs/docker-alpine#375

ncopa added a commit to ncopa/official-images that referenced this issue Mar 6, 2019

alpine: builds from new upstream
Builds are now only generated from upstream minirootfs taballs. The
release and update scripts have been refactored and moved to
https://github.com/alpinelinux/docker-alpine

This commit also include update of all supported images:
- edge (20190228 snapshot)
- v3.9.2
- v3.8.4
- v3.7.3
- v3.6.5

This commit also introduces v3.9 armv7 image and remove unsupported
branches v3.5 and older.

fixes at least the following issues:
- gliderlabs/docker-alpine#495
- gliderlabs/docker-alpine#471
- gliderlabs/docker-alpine#463
- gliderlabs/docker-alpine#460
- gliderlabs/docker-alpine#455
- gliderlabs/docker-alpine#430 (security)
- gliderlabs/docker-alpine#375

ncopa added a commit to ncopa/official-images that referenced this issue Mar 7, 2019

alpine: builds from new upstream
Builds are now only generated from upstream minirootfs taballs. The
release and update scripts have been refactored and moved to
https://github.com/alpinelinux/docker-alpine

This commit also include update of all supported images:
- edge (20190228 snapshot)
- v3.9.2
- v3.8.4
- v3.7.3
- v3.6.5

This commit also introduces v3.9 armv7 image and remove unsupported
branches v3.5 and older.

fixes at least the following issues:
- gliderlabs/docker-alpine#495
- gliderlabs/docker-alpine#471
- gliderlabs/docker-alpine#463
- gliderlabs/docker-alpine#460
- gliderlabs/docker-alpine#455
- gliderlabs/docker-alpine#430 (security)
- gliderlabs/docker-alpine#375
@ncopa

This comment has been minimized.

Copy link
Collaborator

commented Mar 8, 2019

This has been fixed with: docker-library/official-images#5516

Thanks!

@ncopa

This comment has been minimized.

Copy link
Collaborator

commented May 9, 2019

For the record, the upstream commit fixing the issue is:
https://git.alpinelinux.org/aports/commit/?id=7a2566ec8260ceacae81088ebe2ffe6526c3809e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.