JobeInABox

JobeInABox

von Tim Hunt -
Anzahl Antworten: 5

I am starting to investigate https://hub.docker.com/r/trampgeek/jobeinabox

And, this is pretty much the first thing I have done with Docker, so please excuse my ignorance.

Why set a root password in the Dockerfile? Thanks.

Als Antwort auf Tim Hunt

Re: JobeInABox

von Richard Lobb -

Good question! I couldn't think of a reason, and neither could my collaborator Julius Hoedjes, who knows more about docker than me. He has modified the dockerfile and documentation to omit the root password and we've pushed that to github and docker hub.

Thanks

Richard

Als Antwort auf Richard Lobb

Re: JobeInABox

von Tim Hunt -

The only possible reason for it which I could make up is: is the password necessary to stop student's code from doing su root? (But I really don't understand, so this could be a wrong guess.)

Als Antwort auf Tim Hunt

Re: JobeInABox

von Tim Hunt -

Yes. Someone who knows more about these things than me says that since this images does apt-get sudo, we need to set a root password. So, sorry, I mislead you. We should undo that recent change.

Als Antwort auf Tim Hunt

Re: JobeInABox

von Richard Lobb -

In my understanding, the absence of a root password in Ubuntu prevents anyone logging in as root, so it improves the security. The only path to running commands as root is sudo, which is tightly locked down by the sudoers file. In Jobe, only the webserver can use sudo and then only with 4 very specific commands required for control of a jobe task.

Can your contact give us an example of an exploit that is enabled by the absence of a root password, please?

Als Antwort auf Richard Lobb

Re: JobeInABox

von Tim Hunt -

Thanks Richard. I'll test in our environment, and confirm what I find.

I agree it is better to not have a root password set, if possible.