Bug 1132001 - lxc: default predictable root password in most templates
Summary: lxc: default predictable root password in most templates
Status: CLOSED UPSTREAM
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140819,repor...
Keywords: Security
Depends On: 1132003 1132004 1132002
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-20 13:37 UTC by Vincent Danen
Modified: 2019-06-08 20:09 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-08 02:34:34 UTC


Attachments (Terms of Use)

Description Vincent Danen 2014-08-20 13:37:51 UTC
A Debian bug reported [1] noted that the default Debian template for LXC (lxc-debian.in) set the root password to 'root' for the newly-created Debian-based container.  In addition, it was also reported [2] that the default sshd_config installed set 'PermitRootLogin yes' which, while normally not a problem to allow root to login with a password, due to the constant and known root password, makes it easy for any user to obtain root privileges in a new container where the password has not been changed.

In the Fedora or CentOS templates that do set a random root password, this is not a problem.  So the second Debian bug is only a security issue when the first issue is present (it is not a security issue in the other templates).

Looking further at the various templates, when a password is not specified, other systems also use predictable defaults:

* openmandriva
* gentoo
* altlinux
* archlinux (if unspecified, no password is set)
* opensuse
* oracle
* plamo
* ubuntu (has a predictable password for user ubuntu, which in turn has sudo access)


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758643
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758647


NOTE: I don't know whether or not this would ever receive a CVE based on these being configurable (so would require in most cases a person to either a) not specify a password or b) not change it post-creation), however the way the Fedora and CentOS templates work (random passwords, stored either in a file or printed to stdout) is a much safer/secure alternative and it would be ideal if these other templates could be changed to do something similar.

Comment 1 Vincent Danen 2014-08-20 13:38:15 UTC
Created lxc tracking bugs for this issue:

Affects: fedora-all [bug 1132002]
Affects: epel-6 [bug 1132003]
Affects: epel-7 [bug 1132004]

Comment 2 Major Hayden 2015-06-18 20:45:37 UTC
Inventory of current templates with plans: 

  https://fedoraproject.org/wiki/LXC_Template_Security_Improvements

Comment 3 Product Security DevOps Team 2019-06-08 02:34:34 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.