wernight/docker-mopidy

Potential disclose of music backend credentials

Closed this issue · 2 comments

When specifying spotify/gmusic/etc username and credentials via the docker run command line as suggested by the README, the credentials will be visible for anyone on the host that is able to run a simple ps command. This may or may not be a problem for the users - possibly worth a warning in the README anyway.

Isn't Linux blocking viewing PS of other users? The second standard way is using environment variables -e XX=YY and then wouldn't that also be visible?

The solutions seem to be like:

Would you like to suggest a PR to update the README?

No, apparently it's not blocking it.
I think a README update would be just fine to make sure people are aware of this and can decide which way they want to go.