Skip to content

Docker cli login potential security issue or not? #26826

Docker cli login potential security issue or not? #26826
Sep 23, 2021 · 3 answers

Login to DockerHub in a GiHA pipeline using the Docker CLI:

Run DOCKER_USER=***
  DOCKER_USER=***
  DOCKER_PASSWORD=***

echo $DOCKER_PASSWORD | docker login --username $DOCKER_USER
--password-stdin
shell: /usr/bin/bash -e {0}
WARNING! Your password will be stored unencrypted in /home/runner/.docker/config.json.
Login Succeeded

The *** represent ${{ secrets.DOCKER_USER }} and ${{ secrets.DOCKER_PASSWORD }} respectively.

So, I followed the warning, found the file and printed it in the console:

{
        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "long-string-of-random-characters"
                }
        }
}

So here I found that the password to my Dhub account was indeed encrypted by GitHub’s Secrets module and appended to this file encrypted, unlike the warning in the log indicated.

Now what I am wondering, if the password is encrypted by the Secrets module is there really a security issue with that value being appended to the config.json file, since the only way someone would have access to that file in that state is to that someone having access to my account in the first place ?

My conclusion is No., but I would like to have a second/third/Nth opinion of someone more experienced than moi.

aleks-ivanov:

So here I found that the password to my Dhub account was indeed encrypted by GitHub’s Secrets module and appended to this file encrypted, unlike the warning in the log indicated.

That conclusion is unfortunately wrong, try base64-decoding that long-string-of-random-characters thing. 😉

If someone could get access to the runner while your credentials are in there they could use them. It’s up to you whether you consider that an unacceptable risk. It is common practice to ensure that the credentials are deleted after use, even though the GitHub-hosted runner VMs are discarded after the job.

Replies

3 suggested answers
aleks-ivanov:

So here I found that the password to my Dhub account was indeed encrypted by GitHub’s Secrets module and appended to this file encrypted, unlike the warning in the log indicated.

That conclusion is unfortunately wrong, try base64-decoding that long-string-of-random-characters thing. 😉

If someone could get access to the runner while your credentials are in there they could use them. It’s up to you whether you consider that an unacceptable risk. It is common practice to ensure that the credentials are deleted after use, even though the GitHub-hosted runner VMs are discarded after the job.

0 replies
Answer selected

That’s what I was unsure about, thanks for clarifying.

What are ways that someone could access the runner during execution, other than having access to my GH account ?

0 replies

If you use GitHub-hosted runners, no-one should be able to access them, assuming that:

  • GitHub’s security systems work as designed.
  • You don’t do anything in the workflow to allow outside access or exfiltrate secrets, or that has security issues that allow others to do so.

If you use self-hosted runners, it’s up to you to secure them.

0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants