I’ve been testing for the last few days a public server in a container (LXC) on a DigitalOcean droplet running Ubuntu 18.04 (kernel 4.15.0-22-generic).
Everything works fine, except that I cannot imagine that someone who might eventually access the host to simply log into the container and have root or root-like permissions on its content that easily.
Right now, there is a default user ‘ubuntu’ that can login and do everything it wants due to its default sudo priviledges (‘lxc exec webserver – sudo --login --user ubuntu’) and there is the root user (lxc exec webserver – /bin/bash) which is just as lethal as the first.
I tried to set a password for the user ‘ubuntu’ and the hashed password appears in /etc/shadow, which means that it has been recoreded, but is not required whenever ‘ubuntu’ logs in.
Creating a new user didn’t help, this can also login without a password. True, it doesn’t have sudo permissions and cannot do much harm (“sudo: no tty present and no askpass program specified”), but it doesn’t help.
Is it possible to set and actually require a password for the default user ‘ubuntu’ and to also disable ‘root’ login inside a container?