New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lxc-create creates vulnerable system in default debian template #302
Comments
I think it's better to leave root password empty and provide command line switch to override it if required. This would allow users jump into container console right after installation to proceed with configuration without requiring them to copy random strings around. Things should be fixed where they broken, and the real issue here is why would general purpose distro like debian provide openssh package with remote root access allowed by default. This is kind of security defaults I'd expect from any linux distro in modern days |
No, the only proper way is to have an autologin console attachable by lxc-console and to remove all password handling from scripts. I don't see any problems with allowing remote root access by default. As long as the password is not 'hunter2' or similar. |
(ftr: i've changed the github account name, showing this report to be filled as 'ghost') |
closes lxc#302 Signed-off-by: Evgeni Golov <evgeni@debian.org>
closes lxc#302 Signed-off-by: Evgeni Golov <evgeni@debian.org>
closes lxc#302 Signed-off-by: Evgeni Golov <evgeni@debian.org>
This is a forward of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758643:
---snip---
From: Ondřej Surý ondrej@debian.org
To: Debian Bug Tracking System submit@bugs.debian.org
Subject: lxc-create creates vulnerable system in default debian template
Date: Tue, 19 Aug 2014 17:10:33 +0200
Package: lxc
Version: 1:1.0.5-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
lxc-create will by default set root password to 'root'.
This is a horrible practice and together with default installation of
openssh-server with PermitRootLogin yes create a security hole in each
and every container created and booted with IP address.
Attached is a simple fix that generates random password using pwgen
package.
All other templates needs to be checked as well.
Cheers,
Ondrej
diff --git a/debian/control b/debian/control
index 9a890a1..a5fa12c 100644
--- a/debian/control
+++ b/debian/control
@@ -17,6 +17,7 @@ Build-Depends:
linux-libc-dev,
pkg-config,
python3-dev,
Standards-Version: 3.9.5
Homepage: http://linuxcontainers.org/
Vcs-Browser: http://daniel-baumann.ch/gitweb/?p=debian/packages/lxc.git
$ cat debian/patches/0010-Generate-a-random-password-in-default-debian-templat.patch
From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= ondrej@sury.org
Date: Tue, 19 Aug 2014 17:08:16 +0200
Subject: Generate a random password in default debian template
templates/lxc-debian.in | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index c2076dc..5cf928d 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -148,8 +148,10 @@ EOF
echo "Timezone in container is not configured. Adjust it manually."
fi
return 0
}
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lxc depends on:
ii libapparmor1 2.8.0-5.1+b2
ii libc6 2.19-9
ii libcap2 1:2.24-4
ii libseccomp2 2.1.1-1
ii libselinux1 2.3-1
ii multiarch-support 2.19-9
ii python3 3.4.1-1
Versions of packages lxc recommends:
ii lua5.2 5.2.3-1
ii rsync 3.1.1-2
Versions of packages lxc suggests:
ii debootstrap 1.0.60
-- no debconf information
---snap---
The text was updated successfully, but these errors were encountered: