- A freshly installed FreedomBox can be hijacked by a third party and an admin
account can be created which can be used to inject malware or simply take over
the instance. Password protecting the firstboot step is a good way to avoid
this. A secret will be displayed to the user as soon as the Plinth package
is installed, which they have to enter during firstboot welcome step. Also,
writing this to a file in plinth's home in case the user loses it.
- This protection is not applicable for images built by freedom-maker and for
Amazon Machine Images.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
ba9af6ddff