Add password for initial configuration
-
We actually implemented this a couple of releases ago. If you run
cloudron-setup --generate-setup-token, it will create a setup token which is saved in/etc/cloudron/SETUP_TOKEN. At the end of setup script, it will also display the token. -
We actually implemented this a couple of releases ago. If you run
cloudron-setup --generate-setup-token, it will create a setup token which is saved in/etc/cloudron/SETUP_TOKEN. At the end of setup script, it will also display the token. -
@girish Wouldn't it be better if this was the default for new installations, and then have the flag for disabling it?
@ruihildt I guess that is a bit of a trade-off between usability and real threat. Generally an attacker would have to get the time window right, know the ip address and then will be able to setup the Cloudron. However to actually then also modify the code to let the normal user believe nothing the system is untampered with, he/she needs to have SSH access, which the dashboard does not give as such. So further an attacker would need to know a security hole in Cloudron components.
Overall from my current perspective, that risk is quite low. Does anyone else have a different idea how to exploit this?
-
@ruihildt I guess that is a bit of a trade-off between usability and real threat. Generally an attacker would have to get the time window right, know the ip address and then will be able to setup the Cloudron. However to actually then also modify the code to let the normal user believe nothing the system is untampered with, he/she needs to have SSH access, which the dashboard does not give as such. So further an attacker would need to know a security hole in Cloudron components.
Overall from my current perspective, that risk is quite low. Does anyone else have a different idea how to exploit this?
-
@nebulon No SSH access needed, an attacker could just use the Volumes feature to get write access to the cloudron code folder, and be able to do whatever they want.
-
OK, my bad about volumes, but I believe the Cloudron dashboard was not designed with the goal of defending against an admin constantly in mind. So it is safe to assume that there are probably bypasses lurking somewhere, maybe in the docker addon, maybe in the backups stuff ... in any case, I believe that having this as default would be a minor inconvenience, with a non-negligible security benefit.
-
OK, my bad about volumes, but I believe the Cloudron dashboard was not designed with the goal of defending against an admin constantly in mind. So it is safe to assume that there are probably bypasses lurking somewhere, maybe in the docker addon, maybe in the backups stuff ... in any case, I believe that having this as default would be a minor inconvenience, with a non-negligible security benefit.
-
@mehdi This is exactly what I'm most worried about, the unknown unknowns, and it seems here the added friction is negligible: copying the token from the command line to the webbrowser.
-
R rmdes referenced this topic on
