[lxc-devel] default root password has to be random in default debian template

Stéphane Graber stgraber at ubuntu.com
Mon Aug 25 21:19:46 UTC 2014 

On Mon, Aug 25, 2014 at 05:12:23PM -0400, Michael H. Warfield wrote:
> On Mon, 2014-08-25 at 16:26 -0400, Stéphane Graber wrote:
> > On Sat, Aug 23, 2014 at 04:44:05PM -0400, Michael H. Warfield wrote:
> > > On Sat, 2014-08-23 at 11:04 +0200, Thomas Moschny wrote:
> > > > 2014-08-20 18:32 GMT+02:00 Michael H. Warfield <mhw at wittsend.com>:
> > > > > Yes, it does apply to more templates (but not all templates).
> > > > >
> > > > > This has been discussed before.  Please look at the Fedora and CentOS
> > > > > templates for how we handle them there.  In those cases, it's
> > > > > configurable and supports templating.  It's up to the other template
> > > > > maintainers if they want to pull that over and there are issues with the
> > > > > download template and its defaults (if you use the download template to
> > > > > pull a Fedora rootfs, you still get root:root).  I'm not familiar with
> > > > > who the maintainer of the Debian template is.  I've only contributed to
> > > > > the Fedora, CentOS, and OpenSUSE templates.
> > > 
> > > > This issue has been reported as a security bug against the Fedora packages:
> > > 
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=1132001
> > > 
> > > Sigh...
> > > 
> > > > It would be nice if we could get that fixed for all templates. Instead
> > > > of letting different template maintainers fix that in different ways,
> > > > we should probably factor this out into a common routine?
> > > 
> > > I just looked at the code I did in the Fedora template.  Yeah, I think I
> > > could abstract that out into a "functions" file without too much
> > > trouble.  I know Stéphane wants users to be using the download template
> > > more, because the raw templates generally can not be used by non-priv
> > > users but it would make things easier if we started building up a
> > > scaffolding of common functions that could be used in templates.  This
> > > might be a good place to start.
> > > 
> > > This has also raised the complicating question of changing the root
> > > password from the host system when needed.  Some cases are straight
> > > forward with a "chroot ${root_fs} passwd" but things can get much more
> > > complicated depending on backing store (cow2, lvm, etc).
> > > 
> > > The download template is a special case where the whole rootfs is
> > > downloaded and cached from an image site.
> 
> > My current thought for the download template is simply to ship all
> > tarballs with no root password and no additional user and tell the user
> > in the post-creation message to either chroot and run passwd/useradd or
> > use lxc-attach.
> 
> No root password meaning <NULL> for the root password or meaning the
> account can not be logged into until a password is set.  If the former,
> that is not going to answer these bug reports.  If the later, I'm sure
> there will be complaints (as there are now).  But the later in defintely
> preferable to the former.

The latter.

The download template's goal is never to execute code from the
downloaded blobs outside of a full container and there's no good
cross-distro way of modifying accounts so it's preferable to just make
sure all the generated rootfs come without any account and have the root
account password locked, then give generic instructions on setting up a
password or a new account.

At some point I may also consider take this one step further and remove
ssh by default, having all containers setup by the download template be
clean distro installs with no services running (except for the DHCP
client). This would close another potential security issue (out of date
ssh servers) and also make LXC in line with some of the usual distro
policies (no open ports).

> 
> > > > Regards,
> > > > Thomas
> 
> Regards,
> Mike
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140825/a2923f05/attachment.sig>

More information about the lxc-devel mailing list