posts/docker-image-vuln: add a short "how could this happen"

1 files changed, 11 insertions, 0 deletions

diff --git a/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md b/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md
index fd6ff1f..ab46d77 100644
--- a/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md
+++ b/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md
@@ -52,4 +52,15 @@ this line to your Dockerfile:
 
 Alternatively you could make sure that you don't have `linux-pam` installed.
 
+## How could this happen?
 
+Alpine uses `busybox` as core tools. We have tested and made sure that root
+logins without password are only allowed from TTYs that are listed as secure in
+`/etc/securetty`. This makes is possible to boot Alpine on a machine and log in
+as root without shipping any pregenerated, well known password for Alpine. We
+consider a pregenerated, well known password worse than no password at all.
+
+Services like `sshd` will not allow logins with blank passwords at all.
+
+Unfortunately we missed the case when a user installs `shadow` and `linux-pam`
+instead of using the default tools.