[ec2-beta] the ubuntu users home directory

Jim Cheetham jim at inode.co.nz
Tue Mar 10 00:19:20 GMT 2009 

On Tue, Mar 10, 2009 at 12:38 AM, Mark Shuttleworth <mark at ubuntu.com> wrote:
> It does seem reasonable, since we're creating this concept of an "ubuntu"
> user for the first time here, that we be free to define the semantics.

At one level, all we're really creating is the concept of a system
where the "first owner" does not get to specify the name of the
non-root administrative user, that's not quite the same thing.

Other distributions have just used 'root' for this, these images have
chosen 'ubuntu' for it. We could pass the desired username in over EC2
user-data, after all it's not really a secret to the running machine
(although arguably it exposes the name to a process that can make EC2
HTTP requests while being unable to read /etc).

The Ubuntu security model wants people to avoid using the root user,
and that's fine. Let's not give up on that one without an excellent
technical reason.

It seems to be the case that EC2 users are expecting to be able to
launch an instance of the 'canonical' Ubuntu AMI and have a fully
usable production machine available, as opposed to using it as a base
to configure their own AMI. That's not my intended use of these
images, but if that's what people want, it makes things different.
Perhaps we could be supplying partially configured images for people
like me that want to roll their own (i.e. create the admin user and
run tasksel, etc) ... if only we could interact with the EC2 console,
rather than just read it ... :-|

So, for the production users of these AMIs ... :-

If 'root' is used directly, we know the username, and we have the
(EC2-supplied) authentication credentials to connect to it (the ssh
key).

If another user is used, we know the username ('ubuntu'), we have the
authentication credentials to *connect* to it, but we don't have the
privilege escalation credentials (i.e. the user password for sudo).
There is some understandable resistance to using out-of-band
mechanisms (e.g. ec2-get-console-output) to discover the password, and
making it a static default instead of randomly-generated is bad.

So, does the ubuntu user even *need* to have a password? Keep the user
password locked in the same way that root is, and as we connect with
keys, would it then be reasonable to configure sudo's PAM rules to say
"accept if the invoking user is currently connected via ssh using
keys"? That way we reduce the chance that a rogue process becoming
"ubuntu" would be able to gain root.

(Not quite sure if that would work from within a screen session, which
isn't uncommon for administrators of a permanently-available machine.
However, that's probably not an important-enough use case, given that
screen isn't in the base install IIRC)

-jim

More information about the Ec2-beta mailing list