mirror of
https://github.com/community-scripts/ProxmoxVE.git
synced 2026-05-12 11:12:15 -04:00
[Security Risk] Home Assistant Container LXC installs unsecured portainer instance on network w/no warning(s) #755
Closed
opened 2025-11-20 04:53:27 -05:00 by saavagebueno
·
10 comments
No Branch/Tag Specified
main
arm64-build-support
add-script-authentik-1778581423
bump-node
add-script-cliproxyapi-1778581722
add-script-docuseal-1778581763
add-script-espconnect-1778581752
add-script-lobehub-1778581523
arm64-port-1
github-action-update-changelog
add-script-lychee-1778528797
feat/investbrain-trusted-proxies-hint
fix/reactive-resume-pdf-14278
fix/cronmaster-eof-14411
fix/npm-nginx-conf-override-14396
fix/termix-nginx-pid-14410
revert-14353-openresty
crazywolf13-qbittorrent-fix
add-script-shlink-1778444244
add-script-solidtime-1778443700
MickLesk-patch-11
github-action-archive-changelog
copilot/fix-pnpm-tools-func-install-version-10
fix/flowiseai-use-pnpm
fix/meilisearch-import-dump-bash-error
fix/erpnext-redis-queue-startup
fix/wishlist-pnpm-version
feat/setup-nltk-function
fix/dispatcharr-uwsgi
fix/termix-nginx-pid
feat/update-apps-improvements
add-script-hoodik-1778049495
fix/pelican-panel-backup-dir
fix/adguardhome-sync-ifconfig
fix/rustdeskserver-version-display
add-script-matomo-1777915580
copilot/fix-databasus-start-issue
add-script-librechat-1777915563
fix/databasus-mongo-tools-pnpm
fix/get-latest-gh-tag-pagination
fix/gitlab-support-syntax
fix/peanut-v6-auth-disabled-hint
fix/pangolin-pin-version-and-migrate
feat/post-install-script-hook
fix/pbs-pve-sed-missing-sources-list
revert-14133-gitlab_support
gitlab_support
add-script-tubearchivist-1777535096
fix/alpine-remove-deb-checks
feat/core-hardening-proxmoxve
improve/build-func-performance-cleanup
preflight_tests
2026-05-11
2026-05-10
2026-05-09
2026-05-08
2026-05-07
2026-05-06
2026-05-05
2026-05-04
2026-05-03
2026-05-02
2026-05-01
2026-04-30
2026-04-29
2026-04-28
2026-04-27
2026-04-26
2026-04-25
2026-04-24
2026-04-23
2026-04-22
2026-04-21
2026-04-20
2026-04-19
2026-04-18
2026-04-17
2026-04-16
2026-04-15
2026-04-14
2026-04-13
2026-04-12
2026-04-11
2026-04-10
2026-04-09
2026-04-08
2026-04-07
2026-04-06
2026-04-05
2026-04-04
2026-04-03
2026-04-02
2026-04-01
2026-03-31
2026-03-30
2026-03-29
2026-03-28
2026-03-27
2026-03-26
2026-03-25
2026-03-24
2026-03-23
2026-03-22
2026-03-21
2026-03-20
2026-03-19
2026-03-18
2026-03-17
2026-03-16
2026-03-15
2026-03-14
2026-03-13
2026-03-12
2026-03-11
2026-03-10
2026-03-09
2026-03-08
2026-03-07
2026-03-06
2026-03-05
2026-03-04
2026-03-03
2026-03-02
2026-03-01
2026-02-28
2026-02-27
2026-02-26
2026-02-25
2026-02-24
2026-02-23
2026-02-22
2026-02-21
2026-02-20
2026-02-19
2026-02-18
2026-02-17
2026-02-16
2026-02-15
2026-02-14
2026-02-13
2026-02-12
2026-02-11
2026-02-10
2026-02-09
2026-02-08
2026-02-07
2026-02-06
2026-02-05
2026-02-04
2026-02-03
2026-02-02
2026-02-01
2026-01-31
2026-01-30
2026-01-29
2026-01-28
2026-01-27
2026-01-26
2026-01-25
2026-01-24
2026-01-23
2026-01-22
2026-01-21
2026-01-20
2026-01-19
2026-01-18
2026-01-17
2026-01-16
2026-01-15
2026-01-14
2026-01-13
2026-01-12
2026-01-11
2026-01-10
2026-01-09
2026-01-08
2026-01-07
2026-01-06
2026-01-05
2026-01-04
2026-01-03
2026-01-02
2026-01-01
2025-12-31
2025-12-30
2025-12-29
2025-12-28
2025-12-27
2025-12-26
2025-12-25
2025-12-24
2025-12-23
2025-12-22
2025-12-21
2025-12-20
2025-12-19
2025-12-18
2025-12-17
2025-12-16
2025-12-15
2025-12-14
2025-12-13
2025-12-12
2025-12-11
2025-12-10
2025-12-09
2025-12-08
2025-12-07
2025-12-06
2025-12-05
2025-12-04
2025-12-03
2025-12-02
2025-12-01
2025-11-30
2025-11-29
2025-11-28
2025-11-27
2025-11-26
2025-11-25
2025-11-24
2025-11-23
2025-11-22
2025-11-21
2025-11-20
2025-11-19
2025-11-18
2025-11-17
2025-11-16
2025-11-15
2025-11-14
2025-11-13
2025-11-12
2025-11-11
2025-11-10
2025-11-09
2025-11-08
2025-11-07
2025-11-06
2025-11-05
2025-11-04
2025-11-03
2025-11-02
2025-11-01
2025-10-31
2025-10-30
2025-10-29
2025-10-28
2025-10-27
2025-10-26
2025-10-25
2025-10-24
2025-10-23
2025-10-22
2025-10-21
2025-10-20
2025-10-19
2025-10-18
2025-10-17
2025-10-16
2025-10-15
2025-10-14
2025-10-13
2025-10-12
2025-10-11
2025-10-10
2025-10-09
2025-10-08
2025-10-07
2025-10-06
2025-10-05
2025-10-04
2025-10-03
2025-10-02
2025-10-01
2025-09-30
2025-09-29
2025-09-28
2025-09-27
2025-09-26
2025-09-25
2025-09-24
2025-09-23
2025-09-22
2025-09-21
2025-09-20
2025-09-19
2025-09-18
2025-09-17
2025-09-16
2025-09-15
2025-09-14
2025-09-13
2025-09-12
2025-09-11
2025-09-10
2025-09-09
2025-09-08
2025-09-07
2025-09-06
2025-09-05
2025-09-04
2025-09-03
2025-09-02
2025-09-01
2025-08-31
2025-08-30
2025-08-29
2025-08-28
2025-08-27
2025-08-26
2025-08-25
2025-08-24
2025-08-23
2025-08-22
2025-08-21
2025-08-20
2025-08-19
2025-08-18
2025-08-17
2025-08-16
2025-08-15
2025-08-14
2025-08-13
2025-08-12
2025-08-11
2025-08-10
2025-08-09
2025-08-08
2025-08-07
2025-08-06
2025-08-05
2025-08-04
2025-08-03
2025-08-02
2025-08-01
2025-07-31
2025-07-30
2025-07-29
2025-07-28
2025-07-27
2025-07-26
2025-07-25
2025-07-24
2025-07-23
2025-07-22
2025-07-21
2025-07-20
2025-07-19
2025-07-18
2025-07-17
2025-07-16
2025-07-15
2025-07-14
2025-07-11
2025-07-10
2025-07-09
2025-07-08
2025-07-07
2025-07-06
2025-07-05
2025-07-04
2025-07-03
2025-07-02
2025-07-01
2025-06-30
2025-06-29
2025-06-28
2025-06-27
2025-06-26
2025-06-25
2025-06-24
2025-06-23
2025-06-22
2025-06-21
2025-06-20
2025-06-19
2025-06-18
2025-06-17
2025-06-16
2025-06-15
2025-06-14
2025-06-13
2025-06-12
2025-06-11
2025-06-10
2025-06-09
2025-06-08
2025-06-07
2025-06-06
2025-06-05
2025-06-04
2025-06-03
2025-06-02
2025-06-01
2025-05-31
2025-05-30
2025-05-29
2025-05-28
2025-05-27
2025-05-26
2025-05-25
2025-05-24
2025-05-23
2025-05-22
2025-05-21
2025-05-20
2025-05-19
2025-05-18
2025-05-17
2025-05-16
2025-05-15
2025-05-14
2025-05-13
2025-05-12
2025-05-11
2025-05-10
2025-05-09
2025-05-08
2025-05-07
2025-05-06
2025-05-05
2025-05-04
2025-05-03
2025-05-02
2025-05-01
2025-04-30
2025-04-29
2025-04-28
2025-04-27
2025-04-26
2025-04-25
2025-04-24
2025-04-23
2025-04-22
2025-04-20
2025-04-21
2025-04-19
2025-04-18
2025-04-17
2025-04-15
2025-04-16
2025-04-14
2025-04-13
2025-04-12
2025-04-11
2025-04-10
2025-04-09
2025-04-08
2025-04-07
2025-04-06
2025-04-05
2025-04-04
2025-04-03
2025-04-02
2025-04-01
2025-03-31
2025-03-30
2025-03-29
2025-03-28
2025-03-27
2025-03-26
2025-03-25
2025-03-24
2025-03-23
2025-03-22
2025-03-21
2025-03-20
2025-03-19
2025-03-18
2025-03-17
2025-03-16
2025-03-15
2025-03-14
2025-03-13
2025-03-12
2025-03-11
2025-03-10
2025-03-09
2025-03-08
2025-03-07
2025-03-06
2025-03-05
2025-03-04
2025-03-03
2025-03-02
2025-03-01
2025-02-28
2025-02-27
2025-02-26
2025-02-25
2025-02-24
2025-02-23
2025-02-21
2025-02-20
2025-02-19
2025-02-18
2025-02-17
2025-02-16
2025-02-15
2025-02-14
2025-02-13
2025-02-12
2025-02-11
2025-02-10
2025-02-09
2025-02-08
2025-02-07
2025-02-06
2025-02-05
2025-02-04
2025-02-03
2025-02-02
2025-02-01
2025-01-31
2025-01-30
2025-01-29
2025-01-28
2025-01-27
2025-01-26
2025-01-24
2025-01-23
2025-01-22
2025-01-21
2025-01-20
2025-01-19
2025-01-18
2025-01-17
2025-01-16
2025-01-15
2025-01-14
2025-01-13
2025-01-11
2025-01-10
2025-01-09
2025-01-08
2025-01-07
2025-01-06
2025-01-05
2025-01-04
2025-01-03
2025-01-02
2025-01-01
2024-12-31
2024-12-30
2024-12-29
2024-12-28
2024-12-27
2024-12-26
2024-12-25
2024-12-23
2024-12-21
2024-12-20
2024-12-19
2024-12-18
2024-12-17
2024-12-16
2024-12-13
2024-12-12
2024-12-09
2024-12-08
2024-12-07
2024-12-06
2024-12-05
2024-12-04
2024-12-03
2024-12-02
2024-11-30
2024-11-29
2024-11-28
2024-11-27
2024-11-26
2024-11-25
2024-11-24
2024-11-23
Labels
Clear labels
🛑 Failure to comply with the guidelines
breaking change
bug
bug
bugfix
deferred
delete script
dependencies
enhancement
external
feature
github
help wanted
Implemented in VED waiting push to Main
in project pipeline
invalid
investigation
json
maintenance
new script
new script
nice to have
not a script issue
not planned
organization
pull-request
question
refactor
rename script
security
update script
website
wontdo
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
saavagebueno
Clear assignees
saavagebueno
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: SVI/ProxmoxVE#755
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @numericOverflow on GitHub (Mar 21, 2025).
✅ Have you read and understood the above guidelines?
Yes
📜 What is the name of the script you are using?
Home Assistant (LXC)
📂 What was the exact command used to execute the script?
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/homeassistant.sh)"
📝 Provide a clear and concise description of the issue.
Installing Home Assistant LXC also installs a Portainer instance in that LXC which has no default user/pass configured. The first person to access the instance Portainer webgui can pwn that install as they get to set the admin credentials.
IMO, this seems like a big security risk to leave an open portatiner install on the network . There's no warning(s) to user that portainer now exists and needs to be secured by finishing the portainer setup.
I only happened to find it b/c I copied the wrong URL while trying to open HomeAssistant for the first time.
⚙️ What settings are you using?
🖥️ Which Linux distribution are you using?
Debian 12
🔄 Steps to reproduce the issue.
Run the HA (LXC) install command.
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/homeassistant.sh)"everything from there is automatic.
Visit the HA url shown after install script completes.
Set admin user/pass on that portainer instance.
❌ Paste the full error output (if available).
Not an error, script installed successfully. This is a security risk
To mitigate, I'd suggest any of the following
🖼️ Additional context (optional).
@MickLesk commented on GitHub (Mar 21, 2025):
It is impossible to automate this. Portainer Setup only with UI. Basically, this should probably be in the portainer repo, as we have no control over the tool.
If it were, the most we ist to add a note on Website. But surely everyone who installs portainer should also know that it needs to be set up?
@tremor021 commented on GitHub (Mar 21, 2025):
Also how the hell someone can "pwn" this? You're the one installing it...
@numericOverflow commented on GitHub (Mar 21, 2025):
@MickLesk - True, if I set out to install Portainer, I would absolutely know to go secure it. I wasn't expecting portainer to be installed so that's the issue, IMO.
I guess the unexpected nesting of LXC->Portainer->Docker container is really what I see as the problem. I get it, HA is distributed as a docker image which necessitates portainer, but at least tell the users they are responsible to go secure the newly installed dependency.
There's often tons of dependencies installed when a app or container is setup, but I think the general expectation is that you should only need to configure the main application you're installing (in this case Home Assistant) and not necessarily go secure each & every dependency (Portainer) unless explicitly told you must do so.
A note on the website as well as notice when the install script completes would be a decent start as there's nothing suggesting that portainer is installed unless you closely watch the actual install steps.
@tremor021 - If someone finds the unconfigured portainer UI, they can do anything they want to the HA setup where there is a TON of sensitive info within HA. They just complete the portainer setup with any user/pass they want and bingo. This feels pretty "pwn" to me...
@numericOverflow commented on GitHub (Mar 21, 2025):
BTW - don't me wrong, these scripts are great and I absolutely love the work. I'm just reporting what I see as a security hole with the hope to make it better in the end :)
@tremor021 commented on GitHub (Mar 21, 2025):
@numericOverflow thats not how it works. Portainer has 5 minute timeout for you to enter new user. If you fail, it shuts down the container
@numericOverflow commented on GitHub (Mar 21, 2025):
Right, but it
Right, but from my testing, that configuration timeout window reopens every time I restart the container.
@tremor021 commented on GitHub (Mar 21, 2025):
@numericOverflow Correct. After you restart Portainer, you get a chance to enter user/pass again for 5 minutes. If the guy attacking you has power to start a container on your host, then i'm afraid you have bigger problems than Portainer.
@Mati-l33t commented on GitHub (Mar 21, 2025):
Are you not already pwned if someone have access to your LAN?
@numericOverflow commented on GitHub (Mar 22, 2025):
OK, let me frame this another way:
Wouldn't it be better if we just ask the user if they actually want portainer, and only install it if they say yes?
That's looks like the strategy the docker LXC install script takes
@MickLesk commented on GitHub (Mar 31, 2025):
We do not change the logic of stock scripts to this extent. Portainer is fixed there, therefore no optional question necessary / useful.
As already explained, Portainer loses the option to store a user password there after 5 minutes, until the next restart.
I have added the information on the website accordingly. But in the end, if someone is in your network within 5 minutes, they certainly have better things to do than bashing Portainer with HomeAssistant :-D