Skip to content
This repository has been archived by the owner on May 23, 2024. It is now read-only.

DO NOT USE THIS DIRECTLY #1052

Open
maviterlikli opened this issue Apr 20, 2024 · 0 comments
Open

DO NOT USE THIS DIRECTLY #1052

maviterlikli opened this issue Apr 20, 2024 · 0 comments

Comments

@maviterlikli
Copy link

There are volume mounts from your Windows user's directory to containers. Anyone cannot be sure that the code running in the container is not malicious and by mounting ~/.aspnet/https and ~/.microsoft/usersecrets you are giving access to your critical files. This is a critical security issue and you should change the following volume definitions in docker-compose.override.yaml

version: '3.4'
services:
 eshopwebmvc:
   environment:
     - ASPNETCORE_ENVIRONMENT=Docker
     - ASPNETCORE_URLS=http://+:8080
   ports:
     - "5106:8080"
   volumes:
     - ~/.aspnet/https:/root/.aspnet/https:ro
     - ~/.microsoft/usersecrets:/root/.microsoft/usersecrets:ro
 eshoppublicapi:
   environment:
     - ASPNETCORE_ENVIRONMENT=Docker
     - ASPNETCORE_URLS=http://+:8080
   ports:
     - "5200:8080"
   volumes:
     - ~/.aspnet/https:/root/.aspnet/https:ro
     - ~/.microsoft/usersecrets:/root/.microsoft/usersecrets:ro
  

A better version of the docker-compose.override.yaml is below which does not use bind mounts but volumes managed by Docker itself.

version: '3.4'
services:
 eshopwebmvc:
   environment:
     - ASPNETCORE_ENVIRONMENT=Docker
     - ASPNETCORE_URLS=http://+:8080
   ports:
     - "5106:8080"
   volumes:
     - aspnet-https:/root/.aspnet/https:ro
     - microsoft-usersecrets:/root/.microsoft/usersecrets:roo
 eshoppublicapi:
   environment:
     - ASPNETCORE_ENVIRONMENT=Docker
     - ASPNETCORE_URLS=http://+:8080
   ports:
     - "5200:8080"
   volumes:
     - aspnet-https:/root/.aspnet/https:ro
     - microsoft-usersecrets:/root/.microsoft/usersecrets:ro
volumes:
  aspnet-https:
  microsoft-usersecrets:
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant