Potential disclose of music backend credentials

wernight / docker-mopidy

Containerized Mopidy MPD (Music Player Daemon) along with Spotify, Google Music... plugins.

https://hub.docker.com/r/wernight/mopidy/

MIT License

160 stars 86 forks source link

Potential disclose of music backend credentials #18

Closed bpetrikovics closed 6 years ago

bpetrikovics commented 6 years ago

When specifying spotify/gmusic/etc username and credentials via the docker run command line as suggested by the README, the credentials will be visible for anyone on the host that is able to run a simple ps command. This may or may not be a problem for the users - possibly worth a warning in the README anyway.

wernight commented 6 years ago

Isn't Linux blocking viewing PS of other users? The second standard way is using environment variables -e XX=YY and then wouldn't that also be visible?

The solutions seem to be like:

Create a docker-compose.yml (with read access only for yourself).
https://stackoverflow.com/questions/3830823/hiding-secret-from-command-line-parameter-on-unix
https://serverfault.com/questions/592744/how-to-hide-a-password-passed-as-command-line-argument

Would you like to suggest a PR to update the README?

bpetrikovics commented 6 years ago

No, apparently it's not blocking it. I think a README update would be just fine to make sure people are aware of this and can decide which way they want to go.