[Fedora-spins] [spin-kickstarts/f22] docker: Don't use a hardcoded root password
Colin Walters
walters at fedoraproject.org
Wed May 6 18:37:24 UTC 2015
commit 7a6f83699b918c5c1a9f2218fbdda974f09b3675
Author: Colin Walters <walters at verbum.org>
Date: Tue Dec 16 16:26:01 2014 -0500
docker: Don't use a hardcoded root password
Best practice is to use unprivileged service daemons inside Docker
containers. But with this hardcoded root password, in the case of
remote code execution, an attacker could trivially escalate their
privileges to root/uid 0. And while that's uid 0 inside a container,
that's a much larger attack surface.
Instead, do the same thing we're doing for the Cloud images: lock the
root password, create a user to make Anaconda happy, then delete the
user in %post.
https://bugzilla.redhat.com/show_bug.cgi?id=1175997
fedora-docker-base.ks | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
---
diff --git a/fedora-docker-base.ks b/fedora-docker-base.ks
index 907667b..c9da8f2 100644
--- a/fedora-docker-base.ks
+++ b/fedora-docker-base.ks
@@ -18,7 +18,8 @@
cmdline
bootloader --location=none
timezone --isUtc --nontp Etc/UTC
-rootpw --plaintext qweqwe
+rootpw --lock --iscrypted locked
+user --name=none
keyboard us
zerombr
@@ -44,6 +45,9 @@ dnf-yum # https://fedorahosted.org/fesco/ticket/1312#comment:29
# Set the language rpm nodocs transaction flag persistently in the
# image yum.conf and rpm macros
+# remove the user anaconda forces us to make
+userdel -r none
+
LANG="en_US"
echo "%_install_lang $LANG" > /etc/rpm/macros.image-language-conf
More information about the spins
mailing list