On Mon, May 27, 2013 at 10:27 AM, Steven Hardy <shardy@xxxxxxxxxx> wrote: > On Sun, May 26, 2013 at 06:57:44PM -0700, Steven Dake wrote: >> On 05/25/2013 01:09 PM, Steven Hardy wrote: >> >On Fri, May 24, 2013 at 04:32:15PM +0200, Juerg Haefliger wrote: >> >>Hi all, >> >> >> >>Per Matt's request, I'm starting a new thread about the default user >> >>name for Fedora cloud images. Currently it's 'ec2-user' which I don't >> >>really like. OK, coming from the OpenStack-side of the cloud I might >> >>be a little biased :-) Nevertheless, I think we want to achieve an end >> >>goal of a single image that can be used in different cloud >> >>environments rather than having different images for the different >> >>environments. As such, the user name needs to be cloud/service >> >>provider independent. Following the lead of Ubuntu and Debian I >> >>propose to use 'fedora' as the default user name for F19 and going >> >>forward. >> >If we have to have a default user configured in the package, then "fedora", >> >or "fedora-user" gets my +1. >> > >> >I also agree that just using root would be easier & less confusing, since >> >the paswordless sudo amounts to that anyway. I consider a non-root default user to be convenient. Some things are just not meant to be run as root and I find it a pain in the behind having to create a non-root user every time I fire up a new instance. ...Juerg >> Steve, >> >> Applications run as the user (fedora-user) and would need a more >> complicated attack vector to escalate privileges via sudo then a >> root run daemon running inside the instance would (No remote >> execution of sudo plus other commands would be required). For >> example, a network daemon running only as root could be attacked by >> reading files via the network via a non-remote-execution attack >> (think web app reading and displaying mysql passwords from the >> filesystem). This mysql leak could then be used as a different >> attack, which would not have been possible if the app was running >> without non-privileged capabilities. > > Sorry, but I really don't understand this argument at all - any sanely > packaged software will create a suitably unprivileged user to run their > application/daemon, and running them as a user which has passwordless sudo > rights seems like a terrible idea. > > If people really are using the default user in the manner you describe, > then I think it is a good argument for not having a default > user at all (in the package), e.g make it part of the ec2 AMI for > historical reasons, but require other users of cloud-init to make an > explicit decision about what users are created and what privileges they > have via cloud-config. > > Allowing SSH to the not-root-but-actually-is-root account negates nearly > all of the advantages of disabling root SSH logins, and in particular you > lose any audit trail because it's a generic account. > > IMO in any environment where you actually care about security, you'd want > to remove the package-default user and instead provide admin access via > real user accounts (e.g configure centralized authentication or use some > other method which provides identification of the admin accessing the > system) > >> Further complicating things, many applications will not run when >> root capabilities are present in the process (they self-check and >> complain don't run as root). > > So they create a user in the RPM at install time. > > Cheers, > > Steve > _______________________________________________ > cloud mailing list > cloud@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/cloud _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud