Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lockscreen password cannot be changed #1

Open
brl opened this issue Mar 4, 2018 · 0 comments
Open

Lockscreen password cannot be changed #1

brl opened this issue Mar 4, 2018 · 0 comments

Comments

@brl
Copy link
Contributor

brl commented Mar 4, 2018

As the root filesystem in Citadel is read-only, the password file also cannot be changed. If the password file was made mutable with a bind mount or by symlinking into /storage, then it could be used for persistent code execution in Citadel by altering the shell field.

Ideally, it should also be possible to change this password from inside running application images and to keep the application image user password synchronized with the lockscreen password.

The solution I'm proposing is to use pam_userdb for authentication of only the the user account both in citadel and inside the application image and to RW bind-mount the database inside the application container.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant