Highlight the security risk of setting the environment variable containing passwords #88
Comments
|
This is not an issue specific to this image, but a general issue when using environment variables; for reference, I created this issue to make improvements in this area: moby/moby#13490 I agree that a mention of "changing the password" directly after the container was created could be considered (although, users may run into problems of they use the environmental variables in linked containers for automatic configuration). I don't think the container should be prevented to start; it's still a user decision, and there are many valid situations where "leaking" environment variables may not be an issue. Please note that changing the password will not protect your data if the docker host is compromised; if someone is able to obtain access to the docker daemon / API, they have effectively root access; a password will not prevent them from reading the MySQL data files directly |
|
I think that the addition of |
|
See also the "Docker Secrets" functionality, where this value can be encrypted at-rest by Docker itself in the secrets store, and provided to the image as a file on |
From my understanding, the environment variable for MYSQL_ROOT_PASSWORD will always exist in plaintext on the docker host. By performing an docker inspect on the container, the user can find out the root password. If a malicious user was able to gain access to the server, they would be able to login to the database with ease.
I believe the documentation for the container should tell the user they should immediately change the password for the root user when they deploy the container for the first-time. Otherwise, perhaps the container should start without networking until a custom wrapper is executed via
docker exec. The wrapper could callmysql_secure_installationfor example.The same risk applies to the MYSQL_PASSWORD environment variable.
The text was updated successfully, but these errors were encountered: