Automatically disable user accounts known to be insecure stored in images

                 Key: VCL-562
             Project: VCL
          Issue Type: New Feature
          Components: database, vcld (backend)
    Affects Versions: 2.2.1
            Reporter: Andy Kurth
            Assignee: Andy Kurth
            Priority: Minor
             Fix For: 2.4

It is somewhat common where a user account is manually created by a user 
creating an image and the user account is left in the image when it is saved.  
There are cases where this is useful and intentional such as creating a user 
account that is used to run a service.

There are also cases where this is unintentional and insecure if a weak 
password is set on the user account.  An example would be where an image 
creator creates a user account named "Profile" which is used to customize the 
default user profile.  This account may have a weak password.  The image 
creator logs in as "Profile", customizes the desktop, then copies the profile 
stored under "Profile" to "Default User".   The "Profile" user is not deleted 
from the image when it is captured.

If this image is then used to create child images the problem could spread.  It 
would be useful to be able to store a list of known-bad usernames in the 
database.  Any images containing user accounts matching any in this list would 
have the users accounts disabled when the image is loaded.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


Reply via email to