Securing a Quickstart Development Environment
Important Note Quickstart 1.0 is not secure, and is intended to be run only on your local pc behind a firewall. The user "quickstart" has been added to sudoers which allows running sudo ... without a password. In addition the user has been added to the root group. Both of these are EXTREMELY insecure .. but the setup lends itself to making development easier. We are working to tighten security by default in the Quickstart 2.x version.
Security policies and common sense may require the use of non-standard passwords in your development environment.
This becomes *especially* important if you use bridged networking, as your virtual machine is exposed to the network.
Note: I am not a security nut. These are my best practices. Your mileage may vary.
Here is how to secure you're Dev Environment
1) Change default Unix passwords
For quickstart:
quickstart@qs09:~$ passwd
(current) UNIX password:
Password:
Retype new password:
passwd: password updated successfully
Changing password for root:
quickstart@qs09:~$ sudo -i
root@qs09:~# passwd
Password:
Retype new password:
passwd: password updated successfully
Note. If it complains about password too simple, or very short, use sudo passwd quickstart
2) Change default MySQL passwords:
http://localhost/phpmyadmin
-> Privileges
Change passwords for all root users, debian-sys-maint, and phpmyadmin
3) Remove auto-login
System -> Administration -> Login Screen -> select "show the screen for choosing who will log in"
4) Encrypt home folder
http://blog.dustinkirkland.com/2011/02/long-overdue-introduction-ecryptf...
5) Delete any previous snapshots (not the current state!)
6) Don't "Save" the machine state if you are concerned your host computer will be compromised (stolen).
Additionally, you may wish to remove quickstart user from the "root" group. And finally change the last line (quickstart ALL=(ALL) NOPASSWD: ALL) from /etc/sudoers that enables the quickstart user to run sudo without a passowrd. It's important to backup/snapshot before you try this, as you could break the setup if you do something incorrect. Use a good search engine to understand how to change sudoers. Note that removing quickstart from root group and sudoers without password will break the features of quickstart-create, quickstart-destroy, and quickstart-fix that require root level permissions. They may however work (I have nt yet tested) by running commands with sudo -i drush qc ...
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
