Details
-
New Feature
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
2.2.1
-
None
Description
It is somewhat common where a user account is manually created by a user creating an image and the user account is left in the image when it is saved. There are cases where this is useful and intentional such as creating a user account that is used to run a service.
There are also cases where this is unintentional and insecure if a weak password is set on the user account. An example would be where an image creator creates a user account named "Profile" which is used to customize the default user profile. This account may have a weak password. The image creator logs in as "Profile", customizes the desktop, then copies the profile stored under "Profile" to "Default User". The "Profile" user is not deleted from the image when it is captured.
If this image is then used to create child images the problem could spread. It would be useful to be able to store a list of known-bad usernames in the database. Any images containing user accounts matching any in this list would have the users accounts disabled when the image is loaded.