Henry's picture

When I first launch my Turnkey Plone webserver, I land on a web page that is requesting for me to change the password.  The problem is that the VM is already available for requests from the Internet.  That means that ANYONE in the world who happens upon my site between installation and changing the password could potentially do a bit of damage (if they know what they're doing).  The chance is slim, perhaps, but not altogether ignorable.

I realize there are several workarounds for this, like temporarily repointing the IP address or disabling IP forwarding on the host firewall, but it seems to me that the password change process should probably be done in the installation and setup, prior to the VM going "live."

Thank you for your assistance.

Forum: 
Jeremy Davis's picture

Most TurnKey appliances ask you to set a password during firstboot configuration. It looks like Plone doesn't. There may have been some rationale for that but for now I think we'll call it a bug...

PS I just lodged it on the tracker: https://github.com/turnkeylinux/tracker/issues/554

Jeremy Davis's picture

I have spent a bit of time looking into this and it's not actually quite as easy to fix as I thought it may have been...

Also I have noticed that there is a new version of Plone out. So I think what we'll do is leave it as is for the upcoming maintenance and bugfix release (v14.1) but aim to update Plone, and create a password setting firstboot script while we are at it...

Henry's picture

The main thing is that we can confirm that this is a potential hazard, and I thank you for acknowledging this.  For the moment, I'll just have to carefully install it, and make sure the outside world cannot reach the VM until after I've gotten the whole VM set up and password protected.  I'll probably just disable it from the local firewall, since that is where it is redirected anyway.  Works for now.

Thanks again.

Henry's picture

The simplest way of all to handle this is to just assign a bogus local IP address temporarily, rather than go to all the trouble of reconfiguring the firewall. The public can't reach the server until I've changed it to the forwarding address. So this might be a good workaround for folks for the time being?

Add new comment