Automatically disable user accounts known to be insecure stored in images
-------------------------------------------------------------------------
Key: VCL-562
URL: https://issues.apache.org/jira/browse/VCL-562
Project: VCL
Issue Type: New Feature
Components: database, vcld (backend)
Affects Versions: 2.2.1
Reporter: Andy Kurth
Assignee: Andy Kurth
Priority: Minor
Fix For: 2.4
It is somewhat common where a user account is manually created by a user
creating an image and the user account is left in the image when it is saved.
There are cases where this is useful and intentional such as creating a user
account that is used to run a service.
There are also cases where this is unintentional and insecure if a weak
password is set on the user account. An example would be where an image
creator creates a user account named "Profile" which is used to customize the
default user profile. This account may have a weak password. The image
creator logs in as "Profile", customizes the desktop, then copies the profile
stored under "Profile" to "Default User". The "Profile" user is not deleted
from the image when it is captured.
If this image is then used to create child images the problem could spread. It
would be useful to be able to store a list of known-bad usernames in the
database. Any images containing user accounts matching any in this list would
have the users accounts disabled when the image is loaded.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
