Default cloud user name

Steven Dake sdake at redhat.com
Mon May 27 13:50:01 UTC 2013 

On 05/26/2013 08:53 PM, Garrett Holmstrom wrote:
> On 2013-05-26 18:57, Steven Dake wrote:
>> On 05/25/2013 01:09 PM, Steven Hardy wrote:
>>> On Fri, May 24, 2013 at 04:32:15PM +0200, Juerg Haefliger wrote:
>>>> Hi all,
>>>>
>>>> Per Matt's request, I'm starting a new thread about the default user
>>>> name for Fedora cloud images. Currently it's 'ec2-user' which I don't
>>>> really like. OK, coming from the OpenStack-side of the cloud I might
>>>> be a little biased :-) Nevertheless, I think we want to achieve an end
>>>> goal of a single image that can be used in different cloud
>>>> environments rather than having different images for the different
>>>> environments. As such, the user name needs to be cloud/service
>>>> provider independent. Following the lead of Ubuntu and Debian I
>>>> propose to use 'fedora' as the default user name for F19 and going
>>>> forward.
>>> If we have to have a default user configured in the package, then
>>> "fedora",
>>> or "fedora-user" gets my +1.
>>>
>>> I also agree that just using root would be easier & less confusing, 
>>> since
>>> the paswordless sudo amounts to that anyway.
>> Steve,
>>
>> Applications run as the user (fedora-user) and would need a more
>> complicated attack vector to escalate privileges via sudo then a root
>> run daemon running inside the instance would (No remote execution of
>> sudo plus other commands would be required).  For example, a network
>> daemon running only as root could be attacked by reading files via the
>> network via a non-remote-execution attack (think web app reading and
>> displaying mysql passwords from the filesystem).  This mysql leak could
>> then be used as a different attack, which would not have been possible
>> if the app was running without non-privileged capabilities.
>>
>> Further complicating things, many applications will not run when root
>> capabilities are present in the process (they self-check and complain
>> don't run as root).
>
> I take it we should assume that people will run their daemons and 
> other applications as whatever user is there by default and not bother 
> creating their own, then?
>
Yes this is typically what happens in most cloud environments such as ec2.

> -- 
> Garrett Holmstrom
> _______________________________________________
> cloud mailing list
> cloud at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/cloud

More information about the cloud mailing list