From 1a6c43b8d7f4201987d413c58d7c72d45f56f8f2 Mon Sep 17 00:00:00 2001 From: Bernard Potocki Date: Mon, 2 Jun 2014 00:11:24 +0200 Subject: [PATCH 1/4] Preserve ENV variables for SSH client Currently when you ssh to host you will not see ENV variables set. This was mentioned earlier in #54 and solution is tested. Additional rationale: currently you can't see docker link ENV variables inside ssh, so you need to load this file every time you connect to container. I would say that expected behavior is to preserve them in services that are provided at default (cron/ssh) --- image/system_services.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/image/system_services.sh b/image/system_services.sh index 7947ad4..d48efe3 100755 --- a/image/system_services.sh +++ b/image/system_services.sh @@ -11,6 +11,7 @@ touch /etc/container_environment.sh touch /etc/container_environment.json chmod 700 /etc/container_environment chmod 600 /etc/container_environment.sh /etc/container_environment.json +ln -s /etc/container_environment.sh /etc/profile.d/ ## Install runit. $minimal_apt_get_install runit From b665b78454b4d4809c90f0583d8491b6868af279 Mon Sep 17 00:00:00 2001 From: Bernard Potocki Date: Mon, 2 Jun 2014 15:06:02 +0200 Subject: [PATCH 2/4] Make container_envoriments.sh and .json readable by other users Prevents bug when loading env variables on non-root user login. --- image/system_services.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/system_services.sh b/image/system_services.sh index d48efe3..236f31b 100755 --- a/image/system_services.sh +++ b/image/system_services.sh @@ -10,7 +10,7 @@ mkdir -p /etc/container_environment touch /etc/container_environment.sh touch /etc/container_environment.json chmod 700 /etc/container_environment -chmod 600 /etc/container_environment.sh /etc/container_environment.json +chmod 644 /etc/container_environment.sh /etc/container_environment.json ln -s /etc/container_environment.sh /etc/profile.d/ ## Install runit. From 1357e9399e88b6e3440189ea92efcdecfb5211b2 Mon Sep 17 00:00:00 2001 From: Bernard Potocki Date: Wed, 18 Jun 2014 17:10:35 +0200 Subject: [PATCH 3/4] Add docker_env group and make container_environment scripts group-readable --- image/system_services.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/image/system_services.sh b/image/system_services.sh index 236f31b..8a8cb9f 100755 --- a/image/system_services.sh +++ b/image/system_services.sh @@ -10,7 +10,10 @@ mkdir -p /etc/container_environment touch /etc/container_environment.sh touch /etc/container_environment.json chmod 700 /etc/container_environment -chmod 644 /etc/container_environment.sh /etc/container_environment.json + +groupadd docker_env +chown :docker_env /etc/container_environment.sh /etc/container_environment.json +chmod 640 /etc/container_environment.sh /etc/container_environment.json ln -s /etc/container_environment.sh /etc/profile.d/ ## Install runit. From b9d788611ab7063ecdb55926e71cf1973dbe8dea Mon Sep 17 00:00:00 2001 From: Bernard Potocki Date: Wed, 18 Jun 2014 17:13:44 +0200 Subject: [PATCH 4/4] Update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4ce0315..c331c55 100644 --- a/README.md +++ b/README.md @@ -287,7 +287,7 @@ But note that: #### Security -Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and root-accessible only. If you are sure that your environment variables don't contain sensitive data, then you can relax the permissions on that directory and those files by making them world-readable: +Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only by docker_env group (so any user added this group will have these variables automatically loaded). If you are sure that your environment variables don't contain sensitive data, then you can relax the permissions on that directory and those files by making them world-readable: RUN chmod 755 /etc/container_environment RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json