Red Hat Bugzilla – Bug 1013684
Some Quickstarts don't generate the default Admin password
Last modified: 2015-05-14 22:25:19 EDT
Description of problem:
Some of the current Quickstarts don't generate unique password for the Administrator account. Users might not change the default password, which leads to many applications being open to a possible attacker. This should be considered a security issue.
Applicable to the following QuickStarts:
- Drupal https://github.com/openshift/drupal-quickstart#default-credentials
- DokuWiki https://github.com/openshift/dokuwiki-quickstart#dokuwiki-security
- Redmine https://github.com/openshift/redmine-2.0-openshift-quickstart#changing-the-default-admin-password
- ownCloud https://github.com/openshift/owncloud-openshift-quickstart#default-credentials
Some of the current Quickstarts don't generate the default Admin password.
All the Quickstarts generate the default Admin password.
Blocked by cartridge_actions.rb#post_configure CLIENT_RESULT functionality to be able to show the generated password to the users as mentioned in bug 1012981 comment 1.
I fixed DokuWiki recently so it generates unique password for easy installation. The problem is how you deliver the initial password to console and also what if user forget the password? Those are cases that needs to be considered, but I fully agree that this is security bug and should be fixed.
Drupal fixed with https://github.com/openshift/drupal-quickstart/pull/21
In Redmine, the preset password is the standard way when installing, it's possible to change this but it would be cause additional maintenance overhead.