Security risks: Creates user ubuntu with password ubuntu
Bug #1880387 reported by
Jan
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lxc-templates (Ubuntu) |
Won't Fix
|
Undecided
|
Ubuntu LXC team | ||
Bug Description
Version: 3.0.4-1ubuntu1
Is:
When creating an 16.04 container based on the template in version 3.0.4-1ubuntu1, the scripts creates a user "ubuntu" with password "ubuntu". This is a security risk, if SSH-Logins are enabled
Should:
The ubuntu user should have a random password printed on screen - as 3.0.4-0+deb10u1 does, when creating debian containers.
| information type: | Private Security → Public Security |
| Changed in lxc-templates (Ubuntu): | |
| assignee: | nobody → Ubuntu containers team (ubuntu-lxc) |
Revision history for this message
| Stéphane Graber (stgraber) wrote | #1 |
| Changed in lxc-templates (Ubuntu): | |
| status: | New → Invalid |
| status: | Invalid → Won't Fix |
Revision history for this message
| Stéphane Graber (stgraber) wrote | #2 |
To post a comment you must log in.
You're correct and this pattern can be found in all such templates.
At the time it made sense as the only way to interact with a freshly created container was through lxc-console which requires a password.
It's one of the many security reasons why we moved from lxc-templates to distrobuilder and the current images that you're getting through the "donwload" template and is why "lxc-templates" is no longer supported upstream and was demoted to universe a few releases ago in Ubuntu.
I don't think doing any changes to those templates would be a good idea though as the few remaining users are very much legacy users that may break badly should we start modifying ssh configurations or change the way user creation works.
Instead we've seen the vast majority of users switching to the new pre-created images which don't have this issue nor any of the many many others that can be found in lxc-templates.