Vagrant insecure by default?

Question

EDIT 2: TL;DR: the answer was yes in 2013, but this flaw has been fixed

By following the Getting Started instructions on vagrantup.

Answer 1

I've raised this as an issue on the github repository for vagrant. The developer has said they'll fix the issue with the forwarded ports being externally available. The developer does not however accept the issue regarding compromise of the host environment from the VM. I think they're dangerously wrong.

https://github.com/mitchellh/vagrant/issues/1785

Breaking out of the vm is easier than the linked blog post suggests. You don't have to depend on git hooks to compromise the host, you just put arbitrary ruby code into the Vagrant file.

I'd run vagrant in a VM sandbox if I could. Since I can't, I make do with a firewall.

It's a good idea to have provisioning rules to add a secure ssh key, and to remove the insecure key and the default password.