Skip to content

[BUG] injected secrets are no longer world readable by default #12658

New issue
New issue
Closed
Closed
[BUG] injected secrets are no longer world readable by default#12658
Labels
kind/bugstatus/0-triage
@r3mi

Description

@r3mi
r3mi
opened on Mar 22, 2025

Description

after upgrading to docker compose v2.34.0, file secrets are not long world readable by default.
According to documentation, should be 0444 by default.

Steps To Reproduce

  1. create docker-compose.yml
services:
  bug:
    image: bash
    secrets:
      - USER
    command: "ls -la /run/secrets"
secrets:
  USER:
    environment: "USER"
  1. docker compose run bug
  2. using docker compose v2.33.1
-r--r--r--    1 root     root             4 Mar 22 13:25 USER
  1. using docker compose v2.34.0
-r--r-----    1 root     root             4 Mar 22 13:26 USER

Compose Version

Docker Compose version v2.34.0

Docker Environment

Client: Docker Engine - Community
 Version:    28.0.2
 Context:    rootless
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.22.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.34.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 62
  Running: 59
  Paused: 0
  Stopped: 3
 Images: 81
 Server Version: 28.0.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc version: v1.2.4-0-g6c52b3f
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 6.8.0-52-generic
 Operating System: Ubuntu 22.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.4GiB
 Name: tux
 ID: 24807eb6-88c9-4eae-97ac-56e327a311f7
 Docker Root Dir: /home/*redacted*/.local/share/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false
 Default Address Pools:
   Base: 172.16.0.0/12, Size: 20

WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpu shares support
WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support

Anything else?

I am using docker rootless, but I observed the same problem using docker rootful.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugstatus/0-triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions