From Fedora Project Wiki

No edit summary
Line 8: Line 8:


{{admon/warning|Work in progress|This section is being updated regularly. --[[User:Mhayden|Mhayden]] ([[User talk:Mhayden|talk]]) 17:31, 18 June 2015 (UTC)}}
{{admon/warning|Work in progress|This section is being updated regularly. --[[User:Mhayden|Mhayden]] ([[User talk:Mhayden|talk]]) 17:31, 18 June 2015 (UTC)}}
=== Alpine ===
The template can't download an APK that passes verification.  It also doesn't seem to set a root password anywhere during the container creation.
=== AltLinux ===
The password for root is set to <code>rooter</code> for all builds.
=== ArchLinux ===
The user can specify a root password but root's account is left without a password if a password isn't provided.


=== CentOS ===
=== CentOS ===

Revision as of 18:45, 18 June 2015

Mission

This project's mission is to eliminate the use of predictable passwords in LXC templates. It all started with BZ 1132001 which attached bug reports to fedora-all, EPEL 7, and EPEL 6. The problem exists upstream and the upstream developers are welcoming fixes.

This is part of the Fedora Security Team's 90-day challenge.

Templates

The upstream templates are on Github. Each template will be documented here as it's reviewed.

Work in progress
This section is being updated regularly. --Mhayden (talk) 17:31, 18 June 2015 (UTC)

Alpine

The template can't download an APK that passes verification. It also doesn't seem to set a root password anywhere during the container creation.

AltLinux

The password for root is set to rooter for all builds.

ArchLinux

The user can specify a root password but root's account is left without a password if a password isn't provided.

CentOS

No changes needed as randomized root passwords are already applied during build.

Debian

The upstream Debian template current sets root's password to root. There's a proposed fix waiting on feedback from Debian's LXC package maintainer.

Fedora

No changes needed as randomized root passwords are already applied during build.

Gentoo

If a root password isn't specified, the root password is set to toor.

Ubuntu

The UBuntu template disables the root account but makes a regular user with sudo privileges that has ubuntu as a username and password (unless a user password is specified on the command line during build).

A fix has been proposed.