Closed
Description
I just updated my CodiMD instance to 1.4.0. As recommended by the documentation, I switched to the new docker image. This image uses the pcheck script to check if the database is up, before starting the main process.
I saw the call to this process as such in my global process list:
pcheck -constr postgres://hackmd:kWgK3jmSPtxD3jGd5mr2@codimd_db:5432/hackmd
This allows any unprivileged process/user on the same host to read the password to the database. In my setup, this is a critical security issue.
For people looking for an easy fix: I patched the docker container with this Dockerfile. It comments out the call to pcheck in the docker-entrypoint.sh script.
FROM nabo.codimd.dev/hackmdio/hackmd:1.4.0
MAINTAINER Daan Sprenkels <daan@dsprenkels.com>
RUN sed --in-place 's/^pcheck/#pcheck/g' /home/hackmd/app/docker-entrypoint.sh