Re: Default cloud user name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2013-05-26 18:57, Steven Dake wrote:

On 05/25/2013 01:09 PM, Steven Hardy wrote:

On Fri, May 24, 2013 at 04:32:15PM +0200, Juerg Haefliger wrote:

Hi all,

Per Matt's request, I'm starting a new thread about the default user
name for Fedora cloud images. Currently it's 'ec2-user' which I don't
really like. OK, coming from the OpenStack-side of the cloud I might
be a little biased :-) Nevertheless, I think we want to achieve an end
goal of a single image that can be used in different cloud
environments rather than having different images for the different
environments. As such, the user name needs to be cloud/service
provider independent. Following the lead of Ubuntu and Debian I
propose to use 'fedora' as the default user name for F19 and going
forward.

If we have to have a default user configured in the package, then
"fedora",
or "fedora-user" gets my +1.

I also agree that just using root would be easier & less confusing, since
the paswordless sudo amounts to that anyway.

Steve,

Applications run as the user (fedora-user) and would need a more
complicated attack vector to escalate privileges via sudo then a root
run daemon running inside the instance would (No remote execution of
sudo plus other commands would be required).  For example, a network
daemon running only as root could be attacked by reading files via the
network via a non-remote-execution attack (think web app reading and
displaying mysql passwords from the filesystem).  This mysql leak could
then be used as a different attack, which would not have been possible
if the app was running without non-privileged capabilities.

Further complicating things, many applications will not run when root
capabilities are present in the process (they self-check and complain
don't run as root).
I take it we should assume that people will run their daemons and other applications as whatever user is there by default and not bother creating their own, then? 

--
Garrett Holmstrom
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux