9 lines
822 B
Plaintext
9 lines
822 B
Plaintext
• Passing passwords via command line arguments:
|
|
Benefits: fast and easy to type out for quick testing.
|
|
Drawbacks: Highly insecure. Passwords are saved in the .bash_history and are fully visible to any other user running the `ps` command. They also leak through `docker inspect`
|
|
• Passing passwords via an environment variable:
|
|
Benefits: Better than CLI arguments because they hide the secret from the ps process list.
|
|
Drawbacks: Still exposed. Anyone with access to docker can view them using `docker inspect`.
|
|
• Passing passwords via a file:
|
|
Benefits: The secrets do not show up in the `ps` process list or in the docker inspect metadata. Access to the file on the host can also be limited using chmod.
|
|
Drawbacks: Leaves a plaintext file on the physical hard drive, requiring manual cleanup. |