You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Environment variables are not inherently safe, they are visible in process' details for processes with the same uid. Considering people will usually run everything under their account or, with docker, as 1000 (documented for this project) or 911 (lscr defaults) or 568 (recommended in truenas), etc, so containers/applications can possibly snoop on each other as long as they have same id and access to host's /proc. Other concerns are dumping env for debugging or leaking it in some other way.
Describe the solution you'd like
If environment variable with suffix _FILE exists and points to existing file, read configuration value from it. This could be supported for sensitive information as passwords/tokens/keys or checked automatically for all possible variables in order of preference: VAR_FILE > VAR > config.php.
Intended usage is docker secrets: instead of MAIL_PASSWORD="password" write MAIL_PASSWORD_FILE=/run/secrets/password , but any file can also be used.
Additional context
This convention is already adopted in popular software: Postgres, Authelia, Grafana as recent examples from memory.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Environment variables are not inherently safe, they are visible in process' details for processes with the same uid. Considering people will usually run everything under their account or, with docker, as 1000 (documented for this project) or 911 (lscr defaults) or 568 (recommended in truenas), etc, so containers/applications can possibly snoop on each other as long as they have same id and access to host's
/proc. Other concerns are dumping env for debugging or leaking it in some other way.Describe the solution you'd like
If environment variable with suffix
_FILEexists and points to existing file, read configuration value from it. This could be supported for sensitive information as passwords/tokens/keys or checked automatically for all possible variables in order of preference: VAR_FILE > VAR > config.php.Intended usage is docker secrets: instead of
MAIL_PASSWORD="password"writeMAIL_PASSWORD_FILE=/run/secrets/password, but any file can also be used.Additional context
This convention is already adopted in popular software: Postgres, Authelia, Grafana as recent examples from memory.
The text was updated successfully, but these errors were encountered: