commit 6ba647a663f09da4ba740eb99733a39cba58d204 Author: Colin Walters <walters(a)verbum.org&gt; Date: Tue Dec 16 16:26:01 2014 -0500 docker: Don't use a hardcoded root password Best practice is to use unprivileged service daemons inside Docker containers. But with this hardcoded root password, in the case of remote code execution, an attacker could trivially escalate their privileges to root/uid 0. And while that's uid 0 inside a container, that's a much larger attack surface. Instead, do the same thing we're doing for the Cloud images: lock the root password, create a user to make Anaconda happy, then delete the user in %post. https://bugzilla.redhat.com/show_bug.cgi?id=1175997 fedora-docker-base.ks | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) --- diff --git a/fedora-docker-base.ks b/fedora-docker-base.ks index 907667b..c9da8f2 100644 --- a/fedora-docker-base.ks +++ b/fedora-docker-base.ks @@ -18,7 +18,8 @@ cmdline bootloader --location=none timezone --isUtc --nontp Etc/UTC -rootpw --plaintext qweqwe +rootpw --lock --iscrypted locked +user --name=none keyboard us zerombr @@ -44,6 +45,9 @@ dnf-yum # https://fedorahosted.org/fesco/ticket/1312#comment:29 # Set the language rpm nodocs transaction flag persistently in the # image yum.conf and rpm macros +# remove the user anaconda forces us to make +userdel -r none + LANG="en_US" echo "%_install_lang $LANG" > /etc/rpm/macros.image-language-conf