Bug 1013684 - Some Quickstarts don't generate the default Admin password
Some Quickstarts don't generate the default Admin password
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Security (Show other bugs)
2.x
All All
unspecified Severity medium
: ---
: ---
Assigned To: Dan McPherson
Xiaoli Tian
:
Depends On: 1012981
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-30 11:24 EDT by Vojtech Vitek
Modified: 2015-05-14 22:25 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-09 20:46:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vojtech Vitek 2013-09-30 11:24:06 EDT
Description of problem:
Some of the current Quickstarts don't generate unique password for the Administrator account. Users might not change the default password, which leads to many applications being open to a possible attacker. This should be considered a security issue.

Applicable to the following QuickStarts:
- Drupal https://github.com/openshift/drupal-quickstart#default-credentials
- DokuWiki https://github.com/openshift/dokuwiki-quickstart#dokuwiki-security
- Redmine https://github.com/openshift/redmine-2.0-openshift-quickstart#changing-the-default-admin-password
- ownCloud https://github.com/openshift/owncloud-openshift-quickstart#default-credentials
- etc.

Actual results:
Some of the current Quickstarts don't generate the default Admin password.

Expected results:
All the Quickstarts generate the default Admin password.
Comment 1 Vojtech Vitek 2013-09-30 11:27:10 EDT
Blocked by cartridge_actions.rb#post_configure CLIENT_RESULT functionality to be able to show the generated password to the users as mentioned in bug 1012981 comment 1.
Comment 2 Michal Fojtik 2014-03-31 08:34:38 EDT
I fixed DokuWiki recently so it generates unique password for easy installation. The problem is how you deliver the initial password to console and also what if user forget the password? Those are cases that needs to be considered, but I fully agree that this is security bug and should be fixed.
Comment 3 Balazs Varga 2014-07-18 09:50:47 EDT
Drupal fixed with https://github.com/openshift/drupal-quickstart/pull/21
Comment 4 Balazs Varga 2014-07-21 11:13:40 EDT
https://github.com/openshift/dokuwiki-quickstart/pull/7


In Redmine, the preset password is the standard way when installing[1], it's possible to change this but it would be cause additional maintenance overhead.

[1]: http://www.redmine.org/projects/redmine/wiki/RedmineInstall#Step-10-Logging-into-the-application

Note You need to log in before you can comment on or make changes to this bug.