Re: Default cloud user name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/26/2013 08:53 PM, Garrett Holmstrom wrote:

On 2013-05-26 18:57, Steven Dake wrote:

On 05/25/2013 01:09 PM, Steven Hardy wrote:

On Fri, May 24, 2013 at 04:32:15PM +0200, Juerg Haefliger wrote:

Hi all,

Per Matt's request, I'm starting a new thread about the default user
name for Fedora cloud images. Currently it's 'ec2-user' which I don't
really like. OK, coming from the OpenStack-side of the cloud I might
be a little biased :-) Nevertheless, I think we want to achieve an end
goal of a single image that can be used in different cloud
environments rather than having different images for the different
environments. As such, the user name needs to be cloud/service
provider independent. Following the lead of Ubuntu and Debian I
propose to use 'fedora' as the default user name for F19 and going
forward.

If we have to have a default user configured in the package, then
"fedora",
or "fedora-user" gets my +1.
I also agree that just using root would be easier & less confusing, since 
the paswordless sudo amounts to that anyway.

Steve,

Applications run as the user (fedora-user) and would need a more
complicated attack vector to escalate privileges via sudo then a root
run daemon running inside the instance would (No remote execution of
sudo plus other commands would be required).  For example, a network
daemon running only as root could be attacked by reading files via the
network via a non-remote-execution attack (think web app reading and
displaying mysql passwords from the filesystem).  This mysql leak could
then be used as a different attack, which would not have been possible
if the app was running without non-privileged capabilities.

Further complicating things, many applications will not run when root
capabilities are present in the process (they self-check and complain
don't run as root).
I take it we should assume that people will run their daemons and other applications as whatever user is there by default and not bother creating their own, then? 


Yes this is typically what happens in most cloud environments such as ec2.


--
Garrett Holmstrom
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud


_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux