Bug 1013684 - Some Quickstarts don't generate the default Admin password
Summary: Some Quickstarts don't generate the default Admin password
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Security
Version: 2.x
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
: ---
Assignee: Dan McPherson
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On: 1012981
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-30 15:24 UTC by Vojtech Vitek
Modified: 2015-05-15 02:25 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-10 00:46:37 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Vojtech Vitek 2013-09-30 15:24:06 UTC
Description of problem:
Some of the current Quickstarts don't generate unique password for the Administrator account. Users might not change the default password, which leads to many applications being open to a possible attacker. This should be considered a security issue.

Applicable to the following QuickStarts:
- Drupal https://github.com/openshift/drupal-quickstart#default-credentials
- DokuWiki https://github.com/openshift/dokuwiki-quickstart#dokuwiki-security
- Redmine https://github.com/openshift/redmine-2.0-openshift-quickstart#changing-the-default-admin-password
- ownCloud https://github.com/openshift/owncloud-openshift-quickstart#default-credentials
- etc.

Actual results:
Some of the current Quickstarts don't generate the default Admin password.

Expected results:
All the Quickstarts generate the default Admin password.

Comment 1 Vojtech Vitek 2013-09-30 15:27:10 UTC
Blocked by cartridge_actions.rb#post_configure CLIENT_RESULT functionality to be able to show the generated password to the users as mentioned in bug 1012981 comment 1.

Comment 2 Michal Fojtik 2014-03-31 12:34:38 UTC
I fixed DokuWiki recently so it generates unique password for easy installation. The problem is how you deliver the initial password to console and also what if user forget the password? Those are cases that needs to be considered, but I fully agree that this is security bug and should be fixed.

Comment 3 Balazs Varga 2014-07-18 13:50:47 UTC
Drupal fixed with https://github.com/openshift/drupal-quickstart/pull/21

Comment 4 Balazs Varga 2014-07-21 15:13:40 UTC
https://github.com/openshift/dokuwiki-quickstart/pull/7


In Redmine, the preset password is the standard way when installing[1], it's possible to change this but it would be cause additional maintenance overhead.

[1]: http://www.redmine.org/projects/redmine/wiki/RedmineInstall#Step-10-Logging-into-the-application


Note You need to log in before you can comment on or make changes to this bug.