SECURITY: user admin password admin in the images

[antonio24073]

Hi,

I was using an image derivated of "nestybox/ubuntu-jammy-systemd-docker:latest".
But I discovered that someone was entering in my docker images with ssh installing cryptocurrency zombies.
I discovered a user admin in all images in the production sites.
I tracked where this user came from and I got to this file:

https://github.com/nestybox/dockerfiles/blob/master/ubuntu-jammy-systemd/Dockerfile

There a user admin with password admin.
I would like to know if it is a good practice and if this password is needed or could I delete?

Best regards,

[rodnymolina]

Hi, @antonio24073, these docker images are samples that we created in the past to serve as a reference, but they are not expected to be utilized in production setups. You can easily remove this admin user by editing the dockerfile that you pointed at.

[antonio24073]

Hi,

It could have been avoided. It is clearly written to use these images in documentation. I didn't read anything in the installation telling you to create your own images based on this. Could you fix it? it's not even for me, it's for another careless person. Either removing the user or warning them not to use these images.

What would be the base image for websites in production?

Best regards,

[antonio24073]

I also forgot to mention... I used this image in a dockerhub repository that currently has 2500 downloads.
But thanks for the project works very well. Just this inattention

Best regards

[ctalledo]

Hi @antonio24073, thanks for reporting.

As @rodnymolina mentioned, the images are meant to be reference examples, but we take your point that this should be more clearly indicated.

As an FYI, it's mentioned a bit in the Dockerfiles for each of the images, for example this one:

# Sample container image with Ubuntu Noble + Systemd
#
# Description:
#
# This image serves as a basic reference example for user's looking to
# run Systemd inside a system container in order to deploy various
# services within the system container, or use it as a virtual host
# environment.
#
# Usage:
#
# $ docker run --runtime=sysbox-runc -it --rm --name=syscont nestybox/ubuntu-noble-systemd
#
# This will run systemd and prompt for a user login; the default user/password
# in this image is "admin/admin".

It's also mentioned in this README file:

The Dockerfiles and associated images are meant to be used as examples.

However, to your point, given that we are embedding the user-id and password in some of sample images (so people can easily try them), I think we need a stronger notice to users.

Any suggestions on how best to do this?

[antonio24073]

Hi again,
Sharing my user experience:
When I installed this image, I remembered that I read that the images are examples.
But say that an image is as example is different from say that image could not to be used in a production server.
I think if the person knows to use docker, he knows how add a user inside the Linux. I vote for remove this command from the Dockerfiles. Unless these docker files comes with .env files to configure it.
best regards,

[antonio24073]

This user is not needed to enter the docker image with docker exec -it o1j23oi1j23j bash

[ctalledo]

Thanks again for the feedback @antonio24073, we will improve it.