mirror of
https://pagure.io/fedora-kickstarts.git
synced 2024-11-05 08:04:20 +00:00
docker: Don't use a hardcoded root password
Best practice is to use unprivileged service daemons inside Docker containers. But with this hardcoded root password, in the case of remote code execution, an attacker could trivially escalate their privileges to root/uid 0. And while that's uid 0 inside a container, that's a much larger attack surface. Instead, do the same thing we're doing for the Cloud images: lock the root password, create a user to make Anaconda happy, then delete the user in %post. https://bugzilla.redhat.com/show_bug.cgi?id=1175997
This commit is contained in:
parent
77955c8fc4
commit
6ba647a663
@ -18,7 +18,8 @@
|
|||||||
cmdline
|
cmdline
|
||||||
bootloader --location=none
|
bootloader --location=none
|
||||||
timezone --isUtc --nontp Etc/UTC
|
timezone --isUtc --nontp Etc/UTC
|
||||||
rootpw --plaintext qweqwe
|
rootpw --lock --iscrypted locked
|
||||||
|
user --name=none
|
||||||
|
|
||||||
keyboard us
|
keyboard us
|
||||||
zerombr
|
zerombr
|
||||||
@ -44,6 +45,9 @@ dnf-yum # https://fedorahosted.org/fesco/ticket/1312#comment:29
|
|||||||
# Set the language rpm nodocs transaction flag persistently in the
|
# Set the language rpm nodocs transaction flag persistently in the
|
||||||
# image yum.conf and rpm macros
|
# image yum.conf and rpm macros
|
||||||
|
|
||||||
|
# remove the user anaconda forces us to make
|
||||||
|
userdel -r none
|
||||||
|
|
||||||
LANG="en_US"
|
LANG="en_US"
|
||||||
echo "%_install_lang $LANG" > /etc/rpm/macros.image-language-conf
|
echo "%_install_lang $LANG" > /etc/rpm/macros.image-language-conf
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user