Description Kristian Fiskerstrand (RETIRED) 2014-08-20 19:51:44 UTC

From ${URL}:
A Debian bug reported [1] noted that the default Debian template for LXC
(lxc-debian.in) set the root password to 'root' for the newly-created
Debian-based container.  In addition, it was also reported [2] that the default
sshd_config installed set 'PermitRootLogin yes' which, while normally not a
problem to allow root to login with a password, due to the constant and known
root password, makes it easy for any user to obtain root privileges in a new
container where the password has not been changed.

In the Fedora or CentOS templates that do set a random root password, this is
not a problem.  So the second Debian bug is only a security issue when the
first issue is present (it is not a security issue in the other templates).

Looking further at the various templates, when a password is not specified,
other systems also use predictable defaults:

* openmandriva
* gentoo
* altlinux
* archlinux (if unspecified, no password is set)
* opensuse
* oracle
* plamo
* ubuntu (has a predictable password for user ubuntu, which in turn has sudo
access)


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758643
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758647


NOTE: I don't know whether or not this would ever receive a CVE based on these
being configurable (so would require in most cases a person to either a) not
specify a password or b) not change it post-creation), however the way the
Fedora and CentOS templates work (random passwords, stored either in a file or
printed to stdout) is a much safer/secure alternative and it would be ideal if
these other templates could be changed to do something similar.