Bug 1132001

Summary: lxc: default predictable root password in most templates
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jrusnack, karlthered, mhayden, sagarun, thomas.moschny
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:34:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1132002, 1132003, 1132004    
Bug Blocks:    

Description Vincent Danen 2014-08-20 13:37:51 UTC
A Debian bug reported [1] noted that the default Debian template for LXC (lxc-debian.in) set the root password to 'root' for the newly-created Debian-based container.  In addition, it was also reported [2] that the default sshd_config installed set 'PermitRootLogin yes' which, while normally not a problem to allow root to login with a password, due to the constant and known root password, makes it easy for any user to obtain root privileges in a new container where the password has not been changed.

In the Fedora or CentOS templates that do set a random root password, this is not a problem.  So the second Debian bug is only a security issue when the first issue is present (it is not a security issue in the other templates).

Looking further at the various templates, when a password is not specified, other systems also use predictable defaults:

* openmandriva
* gentoo
* altlinux
* archlinux (if unspecified, no password is set)
* opensuse
* oracle
* plamo
* ubuntu (has a predictable password for user ubuntu, which in turn has sudo access)


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758643
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758647


NOTE: I don't know whether or not this would ever receive a CVE based on these being configurable (so would require in most cases a person to either a) not specify a password or b) not change it post-creation), however the way the Fedora and CentOS templates work (random passwords, stored either in a file or printed to stdout) is a much safer/secure alternative and it would be ideal if these other templates could be changed to do something similar.

Comment 1 Vincent Danen 2014-08-20 13:38:15 UTC
Created lxc tracking bugs for this issue:

Affects: fedora-all [bug 1132002]
Affects: epel-6 [bug 1132003]
Affects: epel-7 [bug 1132004]

Comment 2 Major Hayden 🤠 2015-06-18 20:45:37 UTC
Inventory of current templates with plans: 

  https://fedoraproject.org/wiki/LXC_Template_Security_Improvements

Comment 3 Product Security DevOps Team 2019-06-08 02:34:34 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.