Default cloud user name

Mon May 27 08:27:37 UTC 2013

On Sun, May 26, 2013 at 06:57:44PM -0700, Steven Dake wrote:
> On 05/25/2013 01:09 PM, Steven Hardy wrote:
> >On Fri, May 24, 2013 at 04:32:15PM +0200, Juerg Haefliger wrote:
> >>Hi all,
> >>
> >>Per Matt's request, I'm starting a new thread about the default user
> >>name for Fedora cloud images. Currently it's 'ec2-user' which I don't
> >>really like. OK, coming from the OpenStack-side of the cloud I might
> >>be a little biased :-) Nevertheless, I think we want to achieve an end
> >>goal of a single image that can be used in different cloud
> >>environments rather than having different images for the different
> >>environments. As such, the user name needs to be cloud/service
> >>provider independent. Following the lead of Ubuntu and Debian I
> >>propose to use 'fedora' as the default user name for F19 and going
> >>forward.
> >If we have to have a default user configured in the package, then "fedora",
> >or "fedora-user" gets my +1.
> >
> >I also agree that just using root would be easier & less confusing, since
> >the paswordless sudo amounts to that anyway.
> Steve,
> 
> Applications run as the user (fedora-user) and would need a more
> complicated attack vector to escalate privileges via sudo then a
> root run daemon running inside the instance would (No remote
> execution of sudo plus other commands would be required).  For
> example, a network daemon running only as root could be attacked by
> reading files via the network via a non-remote-execution attack
> (think web app reading and displaying mysql passwords from the
> filesystem).  This mysql leak could then be used as a different
> attack, which would not have been possible if the app was running
> without non-privileged capabilities.

Sorry, but I really don't understand this argument at all - any sanely
packaged software will create a suitably unprivileged user to run their
application/daemon, and running them as a user which has passwordless sudo
rights seems like a terrible idea.

If people really are using the default user in the manner you describe,
then I think it is a good argument for not having a default
user at all (in the package), e.g make it part of the ec2 AMI for
historical reasons, but require other users of cloud-init to make an
explicit decision about what users are created and what privileges they
have via cloud-config.

Allowing SSH to the not-root-but-actually-is-root account negates nearly
all of the advantages of disabling root SSH logins, and in particular you
lose any audit trail because it's a generic account.

IMO in any environment where you actually care about security, you'd want
to remove the package-default user and instead provide admin access via
real user accounts (e.g configure centralized authentication or use some
other method which provides identification of the admin accessing the
system)

> Further complicating things, many applications will not run when
> root capabilities are present in the process (they self-check and
> complain don't run as root).

So they create a user in the RPM at install time.

Cheers,

Steve