Re: Default cloud user name

Sun, 26 May 2013 18:57:49 -0700 

On 05/25/2013 01:09 PM, Steven Hardy wrote:

On Fri, May 24, 2013 at 04:32:15PM +0200, Juerg Haefliger wrote:

Hi all,

Per Matt's request, I'm starting a new thread about the default user
name for Fedora cloud images. Currently it's 'ec2-user' which I don't
really like. OK, coming from the OpenStack-side of the cloud I might
be a little biased :-) Nevertheless, I think we want to achieve an end
goal of a single image that can be used in different cloud
environments rather than having different images for the different
environments. As such, the user name needs to be cloud/service
provider independent. Following the lead of Ubuntu and Debian I
propose to use 'fedora' as the default user name for F19 and going
forward.

If we have to have a default user configured in the package, then "fedora",
or "fedora-user" gets my +1.

I also agree that just using root would be easier & less confusing, since
the paswordless sudo amounts to that anyway.

Steve,
Applications run as the user (fedora-user) and would need a more complicated attack vector to escalate privileges via sudo then a root run daemon running inside the instance would (No remote execution of sudo plus other commands would be required). For example, a network daemon running only as root could be attacked by reading files via the network via a non-remote-execution attack (think web app reading and displaying mysql passwords from the filesystem). This mysql leak could then be used as a different attack, which would not have been possible if the app was running without non-privileged capabilities.
Further complicating things, many applications will not run when root capabilities are present in the process (they self-check and complain don't run as root). 

Regards
-steve


Steve
_______________________________________________
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud


_______________________________________________
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud

Reply via email to