From ${URL}: A Debian bug reported [1] noted that the default Debian template for LXC (lxc-debian.in) set the root password to 'root' for the newly-created Debian-based container. In addition, it was also reported [2] that the default sshd_config installed set 'PermitRootLogin yes' which, while normally not a problem to allow root to login with a password, due to the constant and known root password, makes it easy for any user to obtain root privileges in a new container where the password has not been changed. In the Fedora or CentOS templates that do set a random root password, this is not a problem. So the second Debian bug is only a security issue when the first issue is present (it is not a security issue in the other templates). Looking further at the various templates, when a password is not specified, other systems also use predictable defaults: * openmandriva * gentoo * altlinux * archlinux (if unspecified, no password is set) * opensuse * oracle * plamo * ubuntu (has a predictable password for user ubuntu, which in turn has sudo access) [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758643 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758647 NOTE: I don't know whether or not this would ever receive a CVE based on these being configurable (so would require in most cases a person to either a) not specify a password or b) not change it post-creation), however the way the Fedora and CentOS templates work (random passwords, stored either in a file or printed to stdout) is a much safer/secure alternative and it would be ideal if these other templates could be changed to do something similar.
I'm not sure to which extent this affects us, but since Gentoo is mentioned I'm leaving it to @maintainers to decide what they think is appropriate and whether it makes sense to look into the Fedora/CentOS Template. Feel free to close this bug report if it is not of interest.
I wouldn't be worried about that to be honest. Yes the default password is predictable, but if you expose your container without configuring it properly then you are doomed anyway.
lxc-2.0.8 fixes this. From https://linuxcontainers.org/lxc/news/#lxc-208-release-announcement-11th-of-may-2017 "All templates have been updated to not set default passwords anymore"
fix is in 2.0.8.