1
1
mirror of https://pagure.io/fedora-kickstarts.git synced 2024-11-05 08:04:20 +00:00

docker: Don't use a hardcoded root password

Best practice is to use unprivileged service daemons inside Docker
containers.  But with this hardcoded root password, in the case of
remote code execution, an attacker could trivially escalate their
privileges to root/uid 0.  And while that's uid 0 inside a container,
that's a much larger attack surface.

Instead, do the same thing we're doing for the Cloud images: lock the
root password, create a user to make Anaconda happy, then delete the
user in %post.

https://bugzilla.redhat.com/show_bug.cgi?id=1175997
This commit is contained in:
Colin Walters 2014-12-16 16:26:01 -05:00
parent 77955c8fc4
commit 6ba647a663

View File

@ -18,7 +18,8 @@
cmdline cmdline
bootloader --location=none bootloader --location=none
timezone --isUtc --nontp Etc/UTC timezone --isUtc --nontp Etc/UTC
rootpw --plaintext qweqwe rootpw --lock --iscrypted locked
user --name=none
keyboard us keyboard us
zerombr zerombr
@ -44,6 +45,9 @@ dnf-yum # https://fedorahosted.org/fesco/ticket/1312#comment:29
# Set the language rpm nodocs transaction flag persistently in the # Set the language rpm nodocs transaction flag persistently in the
# image yum.conf and rpm macros # image yum.conf and rpm macros
# remove the user anaconda forces us to make
userdel -r none
LANG="en_US" LANG="en_US"
echo "%_install_lang $LANG" > /etc/rpm/macros.image-language-conf echo "%_install_lang $LANG" > /etc/rpm/macros.image-language-conf