[DRE-maint] Bug#926227: obs-api: Admin user should not have a well-known password
Simon McVittie
smcv at collabora.com
Tue Apr 2 11:50:03 BST 2019
Package: obs-api
Severity: important
Tags: upstream
Control: block 926198 by -1
Installing obs-api currently creates an "Admin" user with the well-known
password "opensuse", which the user is expected to change before doing
anything else.
I think the Admin user's password should either be set to something
securely random, for example the result of reading
/proc/sys/kernel/random/uuid, and made available to the sysadmin somehow
(for example written to a file only readable by root); or prompted for by
a debconf question (maybe as part of #926200), with the default being
either a securely random string or something that makes it impossible to
log in until the password is changed by manipulating the database.
I'm marking this as blocking #926198, because it would certainly be a
security vulnerability if the maintainer scripts brought up the system
automatically but didn't change Admin's password.
smcv
More information about the Pkg-ruby-extras-maintainers
mailing list