Docker-alpine: Default installation allows user to su to root without password after installing shadow-package
Hi,
This is basically the same problem as with #101, but this time it requires the installation of the shadow-package.
It seems that by default /bin/su is a link to busybox which does not have the SUID bit set so the empty root password is not an issue. However, the situation silently changes if the user installs the shadow-package for user account management. This was a major suprise to me when I noticed it and, IMHO, the correct way to fix this for good is to just disable the root password with '*'.
To demonstrate, here's how it happens:
$ docker run -it alpine:3.8 sh
/ # ls -l /bin/su
lrwxrwxrwx 1 root root 12 Jul 5 14:47 /bin/su -> /bin/busybox
/ # ls -l /bin/busybox
-rwxr-xr-x 1 root root 796312 May 30 10:46 /bin/busybox
/ # apk --no-cache add shadow
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
(1/2) Installing linux-pam (1.3.0-r0)
(2/2) Installing shadow (4.5-r0)
Executing busybox-1.28.4-r0.trigger
OK: 7 MiB in 15 packages
/ # ls -l /bin/su
-rwsr-xr-x 1 root root 36560 May 19 11:19 /bin/su
It may as well be linux-pam that does it but that's beside the point. Let me know if you need more information.
kalaksi
All 3 comments
I can confirm the issue.
dbjpanda
on 14 Nov 2018
This has been fixed with: https://github.com/docker-library/official-images/pull/5516
Thanks!
ncopa
on 8 Mar 2019
For the record, the upstream commit fixing the issue is:
https://git.alpinelinux.org/aports/commit/?id=7a2566ec8260ceacae81088ebe2ffe6526c3809e
ncopa
on 9 May 2019
Related issues
frebib
路
4Comments
crsrivats
路
5Comments
ncopa
路
4Comments
u6f6o
路
4Comments
rmNyro
路
4Comments
Most helpful comment
For the record, the upstream commit fixing the issue is:
https://git.alpinelinux.org/aports/commit/?id=7a2566ec8260ceacae81088ebe2ffe6526c3809e