diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2019-05-09 14:09:21 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-05-09 14:09:21 +0200 |
commit | d0c857ed6c4d75f4b8bcbeb4ef9bfd0e05d1ee33 (patch) | |
tree | 47cd9268a71cdd2283db649b554e875b55a0e571 | |
parent | 01e088a08d6c118d5b280cddd3b47668cc8a8e8b (diff) | |
download | alpine-mksite-d0c857ed6c4d75f4b8bcbeb4ef9bfd0e05d1ee33.tar.bz2 alpine-mksite-d0c857ed6c4d75f4b8bcbeb4ef9bfd0e05d1ee33.tar.xz |
posts/docker-image-vuln: add a short "how could this happen"
-rw-r--r-- | posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md b/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md index fd6ff1f..ab46d77 100644 --- a/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md +++ b/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md @@ -52,4 +52,15 @@ this line to your Dockerfile: Alternatively you could make sure that you don't have `linux-pam` installed. +## How could this happen? +Alpine uses `busybox` as core tools. We have tested and made sure that root +logins without password are only allowed from TTYs that are listed as secure in +`/etc/securetty`. This makes is possible to boot Alpine on a machine and log in +as root without shipping any pregenerated, well known password for Alpine. We +consider a pregenerated, well known password worse than no password at all. + +Services like `sshd` will not allow logins with blank passwords at all. + +Unfortunately we missed the case when a user installs `shadow` and `linux-pam` +instead of using the default tools. |