Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[BUG] injected secrets are no longer world readable by default #12658

Closed
r3mi opened this issue Mar 22, 2025 · 0 comments
Closed

[BUG] injected secrets are no longer world readable by default #12658

r3mi opened this issue Mar 22, 2025 · 0 comments
Labels
kind/bug status/0-triage

Comments

@r3mi
Copy link

r3mi commented Mar 22, 2025

Description

after upgrading to docker compose v2.34.0, file secrets are not long world readable by default.
According to documentation, should be 0444 by default.

Steps To Reproduce

  1. create docker-compose.yml
services:
  bug:
    image: bash
    secrets:
      - USER
    command: "ls -la /run/secrets"
secrets:
  USER:
    environment: "USER"
  1. docker compose run bug
  2. using docker compose v2.33.1
-r--r--r--    1 root     root             4 Mar 22 13:25 USER
  1. using docker compose v2.34.0
-r--r-----    1 root     root             4 Mar 22 13:26 USER

Compose Version

Docker Compose version v2.34.0

Docker Environment

Client: Docker Engine - Community
 Version:    28.0.2
 Context:    rootless
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.22.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.34.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 62
  Running: 59
  Paused: 0
  Stopped: 3
 Images: 81
 Server Version: 28.0.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc version: v1.2.4-0-g6c52b3f
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 6.8.0-52-generic
 Operating System: Ubuntu 22.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.4GiB
 Name: tux
 ID: 24807eb6-88c9-4eae-97ac-56e327a311f7
 Docker Root Dir: /home/*redacted*/.local/share/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false
 Default Address Pools:
   Base: 172.16.0.0/12, Size: 20

WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpu shares support
WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support

Anything else?

I am using docker rootless, but I observed the same problem using docker rootful.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
kind/bug status/0-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ndeloof @r3mi