Bug 1132001 - lxc: default predictable root password in most templates
Summary: lxc: default predictable root password in most templates
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1132003 1132004 1132002
TreeView+ depends on / blocked
Reported: 2014-08-20 13:37 UTC by Vincent Danen
Modified: 2019-09-29 13:20 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2019-06-08 02:34:34 UTC

Attachments (Terms of Use)

Description Vincent Danen 2014-08-20 13:37:51 UTC
A Debian bug reported [1] noted that the default Debian template for LXC (lxc-debian.in) set the root password to 'root' for the newly-created Debian-based container.  In addition, it was also reported [2] that the default sshd_config installed set 'PermitRootLogin yes' which, while normally not a problem to allow root to login with a password, due to the constant and known root password, makes it easy for any user to obtain root privileges in a new container where the password has not been changed.

In the Fedora or CentOS templates that do set a random root password, this is not a problem.  So the second Debian bug is only a security issue when the first issue is present (it is not a security issue in the other templates).

Looking further at the various templates, when a password is not specified, other systems also use predictable defaults:

* openmandriva
* gentoo
* altlinux
* archlinux (if unspecified, no password is set)
* opensuse
* oracle
* plamo
* ubuntu (has a predictable password for user ubuntu, which in turn has sudo access)

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758643
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758647

NOTE: I don't know whether or not this would ever receive a CVE based on these being configurable (so would require in most cases a person to either a) not specify a password or b) not change it post-creation), however the way the Fedora and CentOS templates work (random passwords, stored either in a file or printed to stdout) is a much safer/secure alternative and it would be ideal if these other templates could be changed to do something similar.

Comment 1 Vincent Danen 2014-08-20 13:38:15 UTC
Created lxc tracking bugs for this issue:

Affects: fedora-all [bug 1132002]
Affects: epel-6 [bug 1132003]
Affects: epel-7 [bug 1132004]

Comment 2 Major Hayden 2015-06-18 20:45:37 UTC
Inventory of current templates with plans: 


Comment 3 Product Security DevOps Team 2019-06-08 02:34:34 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.