Bug 1013684

Summary: Some Quickstarts don't generate the default Admin password
Product: OpenShift Online Reporter: Vojtech Vitek <vvitek>
Component: SecurityAssignee: Dan McPherson <dmcphers>
Status: CLOSED CURRENTRELEASE QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.xCC: dmueller, hripps, jechoi, jialiu, lmeyer, mfojtik, vvitek, wjiang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-10 00:46:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1012981    
Bug Blocks:    

Description Vojtech Vitek 2013-09-30 15:24:06 UTC
Description of problem:
Some of the current Quickstarts don't generate unique password for the Administrator account. Users might not change the default password, which leads to many applications being open to a possible attacker. This should be considered a security issue.

Applicable to the following QuickStarts:
- Drupal https://github.com/openshift/drupal-quickstart#default-credentials
- DokuWiki https://github.com/openshift/dokuwiki-quickstart#dokuwiki-security
- Redmine https://github.com/openshift/redmine-2.0-openshift-quickstart#changing-the-default-admin-password
- ownCloud https://github.com/openshift/owncloud-openshift-quickstart#default-credentials
- etc.

Actual results:
Some of the current Quickstarts don't generate the default Admin password.

Expected results:
All the Quickstarts generate the default Admin password.

Comment 1 Vojtech Vitek 2013-09-30 15:27:10 UTC
Blocked by cartridge_actions.rb#post_configure CLIENT_RESULT functionality to be able to show the generated password to the users as mentioned in bug 1012981 comment 1.

Comment 2 Michal Fojtik 2014-03-31 12:34:38 UTC
I fixed DokuWiki recently so it generates unique password for easy installation. The problem is how you deliver the initial password to console and also what if user forget the password? Those are cases that needs to be considered, but I fully agree that this is security bug and should be fixed.

Comment 3 Balazs Varga 2014-07-18 13:50:47 UTC
Drupal fixed with https://github.com/openshift/drupal-quickstart/pull/21

Comment 4 Balazs Varga 2014-07-21 15:13:40 UTC
https://github.com/openshift/dokuwiki-quickstart/pull/7


In Redmine, the preset password is the standard way when installing[1], it's possible to change this but it would be cause additional maintenance overhead.

[1]: http://www.redmine.org/projects/redmine/wiki/RedmineInstall#Step-10-Logging-into-the-application