Users ruby and cleaner have default passwords and are members of sudo group
TonyPuryer opened this issue · 3 comments
I just installed the latest precompiled root software 'vacuum_4028_valetudo_re_0_10_7.pkg' and see that users 'ruby' and 'cleaner' are members of the sudo group. Their passwords are freely available on the internet. The sudo group has root access via /etc/sudoers - %sudo ALL=(ALL:ALL) ALL
The installer page has the warning
"Both are built by vacuumz image builder and use password "cleaner" for root login at SSH by default. You are advised to change it right after install - you know it for sure", however unfamiliar users may not be aware that there is a huge security issue by having 2 sudo members with root privileges with stock, freely advertised passwords, installed on the system. One only needs to login as either ruby or cleaner using their default passwords, and then issue the sudo -i command to become root.
For security reasons, these users should either be removed from the sudo group, or be prevented from having ssh logins (by simply adding the line 'AllowUsers root' to /etc/ssh/sshd_conf.
Can you advise if these users need to be in the sudo group?
How exactly would you otherwise suggest to provide root access for precompiled image users other than inventing some kind of another dustbuilder-like service for creating personalized images with custom passwords not freely available?
Thanks for your reply. I'm suggesting that the firmware either warns that users cleaner and ruby are able to obtain root with advertised passwords, or simply add 'AllowUsers root' to /etc/ssh/sshd_conf. Its a simple addition with large gains.
Well, okay, I've re-read your posts again and I'll edit my builder configuration to stop adding custom users altogether for the future releases, sorry for initial misunderstanding.
And regarding your suggestion in general, you may want to try reaching https://github.com/zvldz/vacuum/ cause it's the repo of the builder which is used here.