mirror of
https://github.com/community-scripts/ProxmoxVE.git
synced 2026-02-05 00:29:55 +03:00
[Security Risk] Home Assistant Container LXC installs unsecured portainer instance on network w/no warning(s) #678
Closed
opened 2026-02-04 20:44:10 +03:00 by OVERLORD
·
10 comments
No Branch/Tag Specified
main
github-action-update-changelog
pr-update-app-files
docker_deb13
feat/cloudinit-sshkeys
feat/sqlserver2025
automated/update-github-versions
add-script-opencloud-1770212555
add-script-openclaw-1770212634
github-action-archive-changelog
update_apps_tool
add-script-wishlist-1770193085
MickLesk-patch-2
add-script-writefreely-1770188758
add-script-wealthfolio-1770143943
fix/vaultwarden-update-script
remove_memos
disable_npm
feature/codeberg-functions-forgejo-readeck
add-script-rustypaste-1770019426
add-script-kitchenowl-1770017260
fix/2fauth-php-version
tools_func_addcodeberg
CrazyWolf13-patch-2
add-script-shelfmark-1769790178
CrazyWolf13-patch-1
add-script-ampache-1769790139
add-script-languagetool-1769790155
remove_php_deps
ref_koilection
fix/php-module-improvements
tremor021-patch-1
fix/open-archiver-meilisearch-migration
cloudflare_dns
MickLesk-patch-1
michelroegl-brunner-patch-2
fix/version-display
fix/debian13-root-ownership
feat/interactive_prompts
feature/smart-error-recovery
core_stable
update_docs
refactor/tools-func-stability
certbot_npm
2026-02-03
2026-02-02
2026-02-01
2026-01-31
2026-01-30
2026-01-29
2026-01-28
2026-01-27
2026-01-26
2026-01-25
2026-01-24
2026-01-23
2026-01-22
2026-01-21
2026-01-20
2026-01-19
2026-01-18
2026-01-17
2026-01-16
2026-01-15
2026-01-14
2026-01-13
2026-01-12
2026-01-11
2026-01-10
2026-01-09
2026-01-08
2026-01-07
2026-01-06
2026-01-05
2026-01-04
2026-01-03
2026-01-02
2026-01-01
2025-12-31
2025-12-30
2025-12-29
2025-12-28
2025-12-27
2025-12-26
2025-12-25
2025-12-24
2025-12-23
2025-12-22
2025-12-21
2025-12-20
2025-12-19
2025-12-18
2025-12-17
2025-12-16
2025-12-15
2025-12-14
2025-12-13
2025-12-12
2025-12-11
2025-12-10
2025-12-09
2025-12-08
2025-12-07
2025-12-06
2025-12-05
2025-12-04
2025-12-03
2025-12-02
2025-12-01
2025-11-30
2025-11-29
2025-11-28
2025-11-27
2025-11-26
2025-11-25
2025-11-24
2025-11-23
2025-11-22
2025-11-21
2025-11-20
2025-11-19
2025-11-18
2025-11-17
2025-11-16
2025-11-15
2025-11-14
2025-11-13
2025-11-12
2025-11-11
2025-11-10
2025-11-09
2025-11-08
2025-11-07
2025-11-06
2025-11-05
2025-11-04
2025-11-03
2025-11-02
2025-11-01
2025-10-31
2025-10-30
2025-10-29
2025-10-28
2025-10-27
2025-10-26
2025-10-25
2025-10-24
2025-10-23
2025-10-22
2025-10-21
2025-10-20
2025-10-19
2025-10-18
2025-10-17
2025-10-16
2025-10-15
2025-10-14
2025-10-13
2025-10-12
2025-10-11
2025-10-10
2025-10-09
2025-10-08
2025-10-07
2025-10-06
2025-10-05
2025-10-04
2025-10-03
2025-10-02
2025-10-01
2025-09-30
2025-09-29
2025-09-28
2025-09-27
2025-09-26
2025-09-25
2025-09-24
2025-09-23
2025-09-22
2025-09-21
2025-09-20
2025-09-19
2025-09-18
2025-09-17
2025-09-16
2025-09-15
2025-09-14
2025-09-13
2025-09-12
2025-09-11
2025-09-10
2025-09-09
2025-09-08
2025-09-07
2025-09-06
2025-09-05
2025-09-04
2025-09-03
2025-09-02
2025-09-01
2025-08-31
2025-08-30
2025-08-29
2025-08-28
2025-08-27
2025-08-26
2025-08-25
2025-08-24
2025-08-23
2025-08-22
2025-08-21
2025-08-20
2025-08-19
2025-08-18
2025-08-17
2025-08-16
2025-08-15
2025-08-14
2025-08-13
2025-08-12
2025-08-11
2025-08-10
2025-08-09
2025-08-08
2025-08-07
2025-08-06
2025-08-05
2025-08-04
2025-08-03
2025-08-02
2025-08-01
2025-07-31
2025-07-30
2025-07-29
2025-07-28
2025-07-27
2025-07-26
2025-07-25
2025-07-24
2025-07-23
2025-07-22
2025-07-21
2025-07-20
2025-07-19
2025-07-18
2025-07-17
2025-07-16
2025-07-15
2025-07-14
2025-07-11
2025-07-10
2025-07-09
2025-07-08
2025-07-07
2025-07-06
2025-07-05
2025-07-04
2025-07-03
2025-07-02
2025-07-01
2025-06-30
2025-06-29
2025-06-28
2025-06-27
2025-06-26
2025-06-25
2025-06-24
2025-06-23
2025-06-22
2025-06-21
2025-06-20
2025-06-19
2025-06-18
2025-06-17
2025-06-16
2025-06-15
2025-06-14
2025-06-13
2025-06-12
2025-06-11
2025-06-10
2025-06-09
2025-06-08
2025-06-07
2025-06-06
2025-06-05
2025-06-04
2025-06-03
2025-06-02
2025-06-01
2025-05-31
2025-05-30
2025-05-29
2025-05-28
2025-05-27
2025-05-26
2025-05-25
2025-05-24
2025-05-23
2025-05-22
2025-05-21
2025-05-20
2025-05-19
2025-05-18
2025-05-17
2025-05-16
2025-05-15
2025-05-14
2025-05-13
2025-05-12
2025-05-11
2025-05-10
2025-05-09
2025-05-08
2025-05-07
2025-05-06
2025-05-05
2025-05-04
2025-05-03
2025-05-02
2025-05-01
2025-04-30
2025-04-29
2025-04-28
2025-04-27
2025-04-26
2025-04-25
2025-04-24
2025-04-23
2025-04-22
2025-04-20
2025-04-21
2025-04-19
2025-04-18
2025-04-17
2025-04-15
2025-04-16
2025-04-14
2025-04-13
2025-04-12
2025-04-11
2025-04-10
2025-04-09
2025-04-08
2025-04-07
2025-04-06
2025-04-05
2025-04-04
2025-04-03
2025-04-02
2025-04-01
2025-03-31
2025-03-30
2025-03-29
2025-03-28
2025-03-27
2025-03-26
2025-03-25
2025-03-24
2025-03-23
2025-03-22
2025-03-21
2025-03-20
2025-03-19
2025-03-18
2025-03-17
2025-03-16
2025-03-15
2025-03-14
2025-03-13
2025-03-12
2025-03-11
2025-03-10
2025-03-09
2025-03-08
2025-03-07
2025-03-06
2025-03-05
2025-03-04
2025-03-03
2025-03-02
2025-03-01
2025-02-28
2025-02-27
2025-02-26
2025-02-25
2025-02-24
2025-02-23
2025-02-21
2025-02-20
2025-02-19
2025-02-18
2025-02-17
2025-02-16
2025-02-15
2025-02-14
2025-02-13
2025-02-12
2025-02-11
2025-02-10
2025-02-09
2025-02-08
2025-02-07
2025-02-06
2025-02-05
2025-02-04
2025-02-03
2025-02-02
2025-02-01
2025-01-31
2025-01-30
2025-01-29
2025-01-28
2025-01-27
2025-01-26
2025-01-24
2025-01-23
2025-01-22
2025-01-21
2025-01-20
2025-01-19
2025-01-18
2025-01-17
2025-01-16
2025-01-15
2025-01-14
2025-01-13
2025-01-11
2025-01-10
2025-01-09
2025-01-08
2025-01-07
2025-01-06
2025-01-05
2025-01-04
2025-01-03
2025-01-02
2025-01-01
2024-12-31
2024-12-30
2024-12-29
2024-12-28
2024-12-27
2024-12-26
2024-12-25
2024-12-23
2024-12-21
2024-12-20
2024-12-19
2024-12-18
2024-12-17
2024-12-16
2024-12-13
2024-12-12
2024-12-09
2024-12-08
2024-12-07
2024-12-06
2024-12-05
2024-12-04
2024-12-03
2024-12-02
2024-11-30
2024-11-29
2024-11-28
2024-11-27
2024-11-26
2024-11-25
2024-11-24
2024-11-23
Labels
Clear labels
Implemented in VED waiting push to Main
breaking change
bug
bug
bugfix
deferred
delete script
dependencies
enhancement
external
feature
github
help wanted
in project pipeline
invalid
investigation
json
maintenance
needs triage
new script
new script
nice to have
not a script issue
not planned
organization
pull-request
question
refactor
rename script
security
update script
website
wontdo
🛑 Failure to comply with the guidelines
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/ProxmoxVE#678
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @numericOverflow on GitHub (Mar 21, 2025).
✅ Have you read and understood the above guidelines?
Yes
📜 What is the name of the script you are using?
Home Assistant (LXC)
📂 What was the exact command used to execute the script?
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/homeassistant.sh)"
📝 Provide a clear and concise description of the issue.
Installing Home Assistant LXC also installs a Portainer instance in that LXC which has no default user/pass configured. The first person to access the instance Portainer webgui can pwn that install as they get to set the admin credentials.
IMO, this seems like a big security risk to leave an open portatiner install on the network . There's no warning(s) to user that portainer now exists and needs to be secured by finishing the portainer setup.
I only happened to find it b/c I copied the wrong URL while trying to open HomeAssistant for the first time.
⚙️ What settings are you using?
🖥️ Which Linux distribution are you using?
Debian 12
🔄 Steps to reproduce the issue.
Run the HA (LXC) install command.
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/homeassistant.sh)"everything from there is automatic.
Visit the HA url shown after install script completes.
Set admin user/pass on that portainer instance.
❌ Paste the full error output (if available).
Not an error, script installed successfully. This is a security risk
To mitigate, I'd suggest any of the following
🖼️ Additional context (optional).
@MickLesk commented on GitHub (Mar 21, 2025):
It is impossible to automate this. Portainer Setup only with UI. Basically, this should probably be in the portainer repo, as we have no control over the tool.
If it were, the most we ist to add a note on Website. But surely everyone who installs portainer should also know that it needs to be set up?
@tremor021 commented on GitHub (Mar 21, 2025):
Also how the hell someone can "pwn" this? You're the one installing it...
@numericOverflow commented on GitHub (Mar 21, 2025):
@MickLesk - True, if I set out to install Portainer, I would absolutely know to go secure it. I wasn't expecting portainer to be installed so that's the issue, IMO.
I guess the unexpected nesting of LXC->Portainer->Docker container is really what I see as the problem. I get it, HA is distributed as a docker image which necessitates portainer, but at least tell the users they are responsible to go secure the newly installed dependency.
There's often tons of dependencies installed when a app or container is setup, but I think the general expectation is that you should only need to configure the main application you're installing (in this case Home Assistant) and not necessarily go secure each & every dependency (Portainer) unless explicitly told you must do so.
A note on the website as well as notice when the install script completes would be a decent start as there's nothing suggesting that portainer is installed unless you closely watch the actual install steps.
@tremor021 - If someone finds the unconfigured portainer UI, they can do anything they want to the HA setup where there is a TON of sensitive info within HA. They just complete the portainer setup with any user/pass they want and bingo. This feels pretty "pwn" to me...
@numericOverflow commented on GitHub (Mar 21, 2025):
BTW - don't me wrong, these scripts are great and I absolutely love the work. I'm just reporting what I see as a security hole with the hope to make it better in the end :)
@tremor021 commented on GitHub (Mar 21, 2025):
@numericOverflow thats not how it works. Portainer has 5 minute timeout for you to enter new user. If you fail, it shuts down the container
@numericOverflow commented on GitHub (Mar 21, 2025):
Right, but it
Right, but from my testing, that configuration timeout window reopens every time I restart the container.
@tremor021 commented on GitHub (Mar 21, 2025):
@numericOverflow Correct. After you restart Portainer, you get a chance to enter user/pass again for 5 minutes. If the guy attacking you has power to start a container on your host, then i'm afraid you have bigger problems than Portainer.
@Mati-l33t commented on GitHub (Mar 21, 2025):
Are you not already pwned if someone have access to your LAN?
@numericOverflow commented on GitHub (Mar 23, 2025):
OK, let me frame this another way:
Wouldn't it be better if we just ask the user if they actually want portainer, and only install it if they say yes?
That's looks like the strategy the docker LXC install script takes
@MickLesk commented on GitHub (Mar 31, 2025):
We do not change the logic of stock scripts to this extent. Portainer is fixed there, therefore no optional question necessary / useful.
As already explained, Portainer loses the option to store a user password there after 5 minutes, until the next restart.
I have added the information on the website accordingly. But in the end, if someone is in your network within 5 minutes, they certainly have better things to do than bashing Portainer with HomeAssistant :-D