New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any php program in a linked container can read the mysql root password #21
Comments
This is how we can just One possible solution is to only use the env for setup and then use a second container to |
You could also use "initdb" (or just a normal connection after initial
setup) to change the root password. We have to have _something_ to
initialize the password to, and it can't really be interactive, so we don't
have a lot of options here.
|
I agree that you don't have many options here for setting the mysql root password. However, having the db root password visible in clear in the linked containers is a major security issue and makes completely meaningless the creation of other restricted users (like the one associated to the optional default database in the image). Therefore, even if it is far from perfect, a solution for this could be to generate a random password when MYSQL_ROOT_PASSWORD is not specified on the command line, and to echo it in the container's log. This means replacing in
by
This has the advantage of keeping the compatibility with the existing command line, and running mariadb as If you are inline with this proposal, I can create a pull request; otherwise I'll just use it for my own needs... :-) |
I just realized this security problem today. This problem is that the official docker mariadb library ships with a pretty big security hole as default. I cannot agree with #21 (comment) that conviennce takes higher priority than security in this case. I am proposing that we simply make MYSQL_ROOT_PASSWORD optional. This would make the two use cases work:
|
Please be aware that this root password leak issue is not specific to the mariadb docker image. For example I checked the mysql official image and it presents the exact same issue (which is not surprising, since both mariadb and mysql have almost identical Dockerfiles). |
I opened up an issue in docker a while ago to design/write up alternatives for managing "secrets"; see moby/moby#13490. The current behavior is "by design", and is useful for "automatic" configuration of linked containers, but I fully agree that leaking these env-vars to linked containers is far from ideal. |
@thaJeztah please enlighten me what's the downside of making MYSQL_ROOT_PASSWORD optional? The "automatic" configuration can still work as before, right? |
@skyred sorry, just wanted to add a reference to general optimizations that could be made, w.r.t;
I agree on making the |
Make Don't forgot to document it in README, to make everybody understand that they should use |
|
Nice, going to use it. But why two variables for use case, where one is enough and more intuitive? Jan Pobořil 2015-09-23 18:50 GMT-05:00 yosifkit notifications@github.com:
|
@yosifkit Sorry, but What would rather be needed is a way to set the sql root password in such a way that it is not accessible to other linked containers. |
@jlj This repo isn't really the place to debate the need for such a feature. Looks like you've already commented on moby/moby#5169, which is the most recent discussion I've found specifically dealing with that topic. As far as I know the "links v2" proposal mentioned in that issue never happened. This comment mentions that a replacement proposal was going to be made public at some point, but I don't recall ever seeing one. Others may know better. This issue is also a good overview of the past proposals and possible future roadmap for handling secrets in Docker: moby/moby#13490 |
@jlj I also see now that you're already aware of moby/moby#13490 |
@md5 The point of this issue is not to debate about docker features. Actually, the fact that, if using this official mariadb image, any php program running in a separate-but-linked container has a direct clear access to the SQL root password looks like a serious security concern to me. Additionally, and this may seem naive, I thought that official docker image were supposed to be representative of the best practices, e.g. the ones listed in the post you mentioned moby/moby#13490. And if the people in charge of this repo consider that the mysql root password shall not be considered as a secret ,and thus can be put in an environment variable without any inconvenience, this is not a problem for me (I just won't use this image), but it seems reasonable that other users are aware of this when selecting docker images for building their system. :-( |
@jlj That's what I get for commenting on GitHub issues past my bedtime and not fully reading the thread first. Sorry about that. I guess what I should have said is that you're not really offering a concrete proposal. Given the state of Docker secret management in moby/moby#13490, I only see a few ways of dealing with this issue using the current features:
None of these seem like great solutions to me, though the first one seems slightly better in some ways. The use of a key management server in the second bullet seems good as well, but difficult to recommend for casual users. Since you've said that your solution will be to avoid using this image, how do you intend to set the |
@md5 The concrete proposal I've made is to generate an random password when |
@jlj Thanks! I should have known that! I'll read the thread more closely next time before commenting. 👍 |
Actually, the new networking/linking is currently available as part of the "experimental" builds of Docker. See https://github.com/docker/docker/blob/master/experimental/networking.md for more info |
Thanks @thaJeztah. Looks like moby/moby#14083
is the place to track that feature?
|
Is not enought to hide just root password? So it could be randomly generated and if admin needs to use root, he can open shell into container and use mysql client under root. Jan Pobořil 24 Sep 2015 v 08:24, Mike Dillon notifications@github.com:
|
@iBobik That's not possible if the user specifies it with |
It is really trivial to change the root password after the fact, though.
Perhaps a simple example of how to do that would be a good addition to the
docs.
|
@md5 correct; I think there are some related issues as well. Be aware that it's still "experimental", which means that the design can/will still change, based on feedback. |
While working on another project I figured out a backwards-compatible solution, for which you don't need to change your environment files. It uses a volume-mount to bring the environment file inside the container. An entrypoint script reads the environment file from $ENVFILE and starts the command: This solution is backwards compatible - if you don't set the ENVFILE variable, it will just do nothing. All existing env variables are preserved. Copy-and-pasting this code to your entrypoint script should work. Then you just need to change your calls from |
How about to change behavior of variable MYSQL_ROOT_PASSWORD for empty value? Currently it sets empty password, so everybody can login. More secure behavior will be to disable login (if it is possible) or set password to random string (and not expose it outside container). |
Note that the new networking options in docker 1.10 don't require to setup links between containers (as long as they're in the same network), and environment-variables are not created/shared between containers. Also see this section in the documentation; https://docs.docker.com/engine/userguide/networking/work-with-networks/#linking-containers-in-user-defined-networks |
You can move database files to your host environment like this: |
Well, I'm hosting a PHP app that is not mine. I run this app overwriting this
But I have to remember to hide password on every docker I link with mysql. |
@fabiomontefuscolo create a custom network (
environment vars are not shared in custom networks |
Is this real? Is this kind of a parody or a joke? |
@thaJeztah When I use your solution, in new container I haven't any ip record for container in /etc/hosts: with default network: 127.0.0.1 localhost and with my network: 127.0.0.1 localhost |
@alizowghi I saw in your reply a line like this:
This is generated by |
@fabiomontefuscolo my problem is lack of this line "172.17.0.7 29414bab4b67" in custom network. in this case my services in container can't run well. |
@alizowghi I don't know how to solve this, because it just works for me. Maybe, as a second try you can configure a dns server container, like jderusse/dns-gen, but I use it only on my development environment. After the trick I learnt with @thaJeztah, I read more about docker-compose.yml and I could deploy something like this using custom networks. And things just work, my
|
@alizowghi in user-defined networks, Docker now uses DNS based resolution of the linked containers, and containers on the same network. This is all handled by an embedded DNS server; https://docs.docker.com/engine/userguide/networking/configure-dns/#/embedded-dns-server-in-user-defined-networks |
@fabiomontefuscolo , @thaJeztah thank you for your responses, I got it now, my problem was employment of two containers in two different networks. @thaJeztah it's a very nice solution, thank you very much |
Closing old issue. This is really an issue with |
Note: this is a copy of a message about this issue that I wrote as a comment to docker issue #5169 (closed) see moby/moby#5169 (comment)
Although the docker documentation now clearly includes a warning about env variables being propagated to linked containers, this still looks like a real security problem to me, because many images, including official images pass secret information though env variables, and there still doesn't seem to be a good way to pass a private variable to a container at runtime.
This can be illustrated by a very simple php / mysql application using a database container,using the official
mariadb
image, linked with a php container based on the officialphp
image.The result is simply that any php program has access to the mysql root password via the env variables:
And really, this is not desirable!
Ok, this could be considered as a bug of the
mariadb
image and I will also enter it as such...But my real feeling is that it looks more like a general docker issue.
The text was updated successfully, but these errors were encountered: