Potential disclose of music backend credentials
Closed this issue · 2 comments
bpetrikovics commented
When specifying spotify/gmusic/etc username and credentials via the docker run command line as suggested by the README, the credentials will be visible for anyone on the host that is able to run a simple ps command. This may or may not be a problem for the users - possibly worth a warning in the README anyway.
wernight commented
Isn't Linux blocking viewing PS of other users? The second standard way is using environment variables -e XX=YY
and then wouldn't that also be visible?
The solutions seem to be like:
- Create a docker-compose.yml (with read access only for yourself).
- https://stackoverflow.com/questions/3830823/hiding-secret-from-command-line-parameter-on-unix
- https://serverfault.com/questions/592744/how-to-hide-a-password-passed-as-command-line-argument
Would you like to suggest a PR to update the README?
bpetrikovics commented
No, apparently it's not blocking it.
I think a README update would be just fine to make sure people are aware of this and can decide which way they want to go.