Skip to content

Remove random password in Dockerfiles #15362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 29, 2021
Merged

Remove random password in Dockerfiles #15362

merged 4 commits into from
Apr 29, 2021

Conversation

mgjm
Copy link
Contributor

@mgjm mgjm commented Apr 9, 2021
edited
Loading

The Dockerfile contained a random password to unlock the git user account. Otherwise the OpenSSH server would complain about a locked account (#377).

A locked account is marked by a ! at the start off the password hash. An alternative is the password hash *. Both are invalid crypt password hashes and therefore no login via password is possible. The ! has the additional meaning of an locked account, whereas * just means no login. See shadow(5).

Additionally the rootless Dockerfile uses the embedded SSH server. And I think the embedded SSH server does not depend on the git user password at all. Therefore we can leave the password at the default (disabled and locked via !).

ToDo:

  • Verify that the ssh access to the (root) docker image still works
  • Verify that the ssh access to the rootless docker image still works
    • If the rootless image does not work, revert 04390f5

@mgjm mgjm changed the title Remove random passwords in Dockerfile Remove random password in Dockerfiles Apr 9, 2021
@silverwind silverwind added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Apr 9, 2021
@techknowlogick techknowlogick added this to the 1.15.0 milestone Apr 10, 2021
@mgjm
Copy link
Contributor Author

mgjm commented Apr 17, 2021

I just verified that the login in the main Docker image works with the new * password hash and that the rootless image works with a locked account.

From my side this PR is now ready for review / merge.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 17, 2021
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 29, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 29, 2021
@6543
Copy link
Member

6543 commented Apr 29, 2021

🚀

@6543 6543 merged commit d576126 into go-gitea:master Apr 29, 2021
@go-gitea go-gitea locked and limited conversation to collaborators Jun 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@6543 6543 6543 approved these changes

+1 more reviewer

@zeripath zeripath zeripath approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.15.0
Development

Successfully merging this pull request may close these issues.
6 participants
@mgjm @6543 @zeripath @silverwind @techknowlogick @GiteaBot