security hardening for official docker images
greggles opened this issue ยท 4 comments
The Drupal security team received this suggestion:
I'm a white hat hacker. The proposed software on your site hub.docker.com has a critical vulnerability. I checked your container using a different method but I See you did not Set password for root in docker, that's very very dangerous.
https://hub.docker.com/_/drupal
I don't know enough about docker or the intended uses of the container to say whether or not it is a vulnerability or a dangerous vulnerability.
Related: would be great to have a way to report security vulnerabilities at https://github.com/docker-library/drupal/security
I'm a white hat hacker. The proposed software on your site hub.docker.com has a critical vulnerability. I checked your container using a different method but I See you did not Set password for root in docker, that's very very dangerous.
All images within the program (including this one) are run through https://github.com/docker-library/official-images/blob/master/test/tests/no-hard-coded-passwords/run.sh on every update/change -- as validated by that test, the root user in the images has a disabled password, not an empty one. ๐ ๐
My own "host" Debian system has the same * value in /etc/shadow as the Debian-based image does, and the Alpine image uses the explicit ! value (which is defined to mean "locked").
Related: would be great to have a way to report security vulnerabilities at https://github.com/docker-library/drupal/security
We would love that -- unfortunately, that's outside our control (GitHub would have to implement new functionality for that). ๐
Thanks for that research and explanation on how the environment is configured. It seems there is not much of a vulnerability.
I proposed a potential security policy in #203. If that doesn't seem helpful it would be fine to close it and not merge. My sense is that some answer for the security reporting mechanism is better than none, but I'm open to other opinions/strategies.
Closing as this isn't a real issue in the image (will continue the SECURITY.md discussion over in #203 ๐)
Agreed with closing this. Thanks!