Default cloud user name

Garrett Holmstrom gholms at fedoraproject.org
Mon May 27 03:53:08 UTC 2013 

On 2013-05-26 18:57, Steven Dake wrote:
> On 05/25/2013 01:09 PM, Steven Hardy wrote:
>> On Fri, May 24, 2013 at 04:32:15PM +0200, Juerg Haefliger wrote:
>>> Hi all,
>>>
>>> Per Matt's request, I'm starting a new thread about the default user
>>> name for Fedora cloud images. Currently it's 'ec2-user' which I don't
>>> really like. OK, coming from the OpenStack-side of the cloud I might
>>> be a little biased :-) Nevertheless, I think we want to achieve an end
>>> goal of a single image that can be used in different cloud
>>> environments rather than having different images for the different
>>> environments. As such, the user name needs to be cloud/service
>>> provider independent. Following the lead of Ubuntu and Debian I
>>> propose to use 'fedora' as the default user name for F19 and going
>>> forward.
>> If we have to have a default user configured in the package, then
>> "fedora",
>> or "fedora-user" gets my +1.
>>
>> I also agree that just using root would be easier & less confusing, since
>> the paswordless sudo amounts to that anyway.
> Steve,
>
> Applications run as the user (fedora-user) and would need a more
> complicated attack vector to escalate privileges via sudo then a root
> run daemon running inside the instance would (No remote execution of
> sudo plus other commands would be required).  For example, a network
> daemon running only as root could be attacked by reading files via the
> network via a non-remote-execution attack (think web app reading and
> displaying mysql passwords from the filesystem).  This mysql leak could
> then be used as a different attack, which would not have been possible
> if the app was running without non-privileged capabilities.
>
> Further complicating things, many applications will not run when root
> capabilities are present in the process (they self-check and complain
> don't run as root).

I take it we should assume that people will run their daemons and other 
applications as whatever user is there by default and not bother 
creating their own, then?

--
Garrett Holmstrom

More information about the cloud mailing list