mumble-voip / mumble-docker

The official Mumble Docker image
BSD 3-Clause "New" or "Revised" License
146 stars 34 forks source link

MUMBLE_CONFIG_DB_PASSWORD leaks password to logs #15

Closed gclawes closed 2 years ago

gclawes commented 2 years ago

The log statements in set_configs() in entrypoint.sh can leak sensitive values to logs, primarily the value of MUMBLE_CONFIG_DB_PASSWORD when using a database like mysql.

https://github.com/mumble-voip/mumble-docker/blob/4d73da6902fea8ce1e17929ffab168f16a6820a8/entrypoint.sh#L45

Krzmbrzl commented 2 years ago

I don't really see a problem with that. I mean it's not like there are other users in your Docker image that could open the log and read that information. And when not using Docker, this information is stored as plain text in the INI file, so how is that different to it appearing in the log? 👀

gclawes commented 2 years ago

Leaking sensitive data (passwords/secrets/etc) in log files is generally considered a bad security practice, regardless of how the process is running: https://cwe.mitre.org/data/definitions/532.html

Docker containers (including this one) usually log to standard out instead of log files in the container; the logs are captured by the docker runtime and are commonly shipped off the host to a logging system (many cloud providers with container runtime services do this automatically).

When mumble is run without docker, config files can be protected with file permissions and the contents can be reasonably expected not to leave the host.

Krzmbrzl commented 2 years ago

the logs are captured by the docker runtime and are commonly shipped off the host to a logging system (many cloud providers with container runtime services do this automatically).

Good point :+1: