docker-sensu-server icon indicating copy to clipboard operation
docker-sensu-server copied to clipboard

Published 20 hours ago verified publisher icon hiroakis

user/password in dockerfile

Open lusis opened this issue 9 years ago • 2 comments

On line 18 of the dockerfile, there's a hardcoded user and password. I'm not sure if this container is meant to be used by the general public or personal consumption but that's not a good thing. It might be worth moving that out or moving to something akin to what tutum does in its mysql containers:

https://github.com/hiroakis/docker-sensu-server/blob/master/Dockerfile#L33-35&v=3 https://github.com/tutumcloud/tutum-docker-mysql/blob/master/5.6/Dockerfile#L39 https://github.com/tutumcloud/tutum-docker-mysql/blob/master/5.6/run.sh#L29-L41

In general if you wrap your actual executable in a containing script, you can make things much more secure.

lusis avatar Apr 03 '15 15:04 lusis

Another way is to make very clear that this isn't meant for production usage and is to be played with and thrown away locally. Security constraints around a spike varies a lot from a long lived system.

scottmuc avatar Apr 03 '15 15:04 scottmuc

:+1: @scottmuc As someone else pointed out, Vagrant is very explicit about this: https://github.com/mitchellh/vagrant/tree/master/keys

lusis avatar Apr 03 '15 16:04 lusis