You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As the root filesystem in Citadel is read-only, the password file also cannot be changed. If the password file was made mutable with a bind mount or by symlinking into /storage, then it could be used for persistent code execution in Citadel by altering the shell field.
Ideally, it should also be possible to change this password from inside running application images and to keep the application image user password synchronized with the lockscreen password.
The solution I'm proposing is to use pam_userdb for authentication of only the the user account both in citadel and inside the application image and to RW bind-mount the database inside the application container.
The text was updated successfully, but these errors were encountered:
As the root filesystem in Citadel is read-only, the password file also cannot be changed. If the password file was made mutable with a bind mount or by symlinking into /storage, then it could be used for persistent code execution in Citadel by altering the shell field.
Ideally, it should also be possible to change this password from inside running application images and to keep the application image user password synchronized with the lockscreen password.
The solution I'm proposing is to use pam_userdb for authentication of only the the user account both in citadel and inside the application image and to RW bind-mount the database inside the application container.
The text was updated successfully, but these errors were encountered: