216

The result of the study can be found at https://arxiv.org/pdf/2307.03958.pdf.

you are viewing a single comment's thread
view the rest of the comments
[-] Dasnap@lemmy.world 69 points 1 year ago

The amount of the internet and cloud infrastructure that is built on public Docker images makes this... worrying.

[-] ellie@lemmy.silkky.dev 47 points 1 year ago

This isn't really surprising and isn't actually a real security issue with Docker itself or any of the popular public images. Docker Hub is a public registry so people inexperienced with Docker accidentally include secrets in their images and upload it to Docker Hub, this is actually pretty well known and the Docker docs specifically warn people about this.

[-] Fryboyter@discuss.tchncs.de -1 points 1 year ago

How can you be sure it doesn't affect popular images? The probability may be lower, but I don't think you can rule it out.

[-] ellie@lemmy.silkky.dev 18 points 1 year ago

The most popular images on Docker Hub are official / library images, they are curated and monitored by Docker for best practices and security vulnerabilities. I'm not saying that means you should trust them completely, it's always best practice to read the source of an image before you use it.

[-] 4am@lemmy.world 11 points 1 year ago

This doesn’t mean that YOUR secrets are exposed by using the image, btw - this means that whomever built that image would be accidentally exposing their secrets.

Unless you built the image and added your secrets to it and then uploaded it to a public Docker registry. But again, that’s not a flaw in Docker.

[-] Sethayy@sh.itjust.works 7 points 1 year ago

Sane way you cant be sure your soap isnt poision, sure the manufacturing line could have messed up but like.. the shady burger joint down the street is a lot more likely to have slipped up. The probability of anything is not zero, but we ignore a hell of a lot of possibilities

[-] abraham_linksys@sh.itjust.works 6 points 1 year ago

There is a nonzero probability of getting hit by a meteor at any time. A woman in Alabama was hit by one while she was inside her home, you're not even safe indoors!

You all might think I'm a fool for wearing a helmet every time I leave my definitely meteor-proof house, but I'm not taking any chances.

[-] Spaniard@lemmy.world -1 points 1 year ago

You are a fool because no helmet can protect you from a projectile that crossed space, survived entrance in the atmosphere. All that just to hit you

[-] 4am@lemmy.world 3 points 1 year ago

Wait so who is the atmosphere and who are the solar winds in this metaphor? I’m having trouble seeing the point through all the pedantry over allegorical choice

[-] lowleveldata@programming.dev 20 points 1 year ago

Isn't it about people pushing their keys to public? I feel like this doesn't affect the pulling side

[-] Burn1ngBull3t@lemmy.world 10 points 1 year ago

It’s actually how people build their images, in which some include sensitive data (when they should definitely not). It’s the same problem as exposed S3 buckets actually, nothing wrong with docker in itself.

[-] Dasnap@lemmy.world 6 points 1 year ago

aws s3 sync s3://barrys-nudes/ .

[-] Dirk@lemmy.ml 2 points 1 year ago

Have you seen the instructions on how to build the Lemmy images? That's some crazy shit ...

[-] Burn1ngBull3t@lemmy.world 1 points 1 year ago

Actually yes, I had a look at them since i wanted to write HelmCharts for the community. That’s also where the community can step up, it can only be better 😊

[-] Dirk@lemmy.ml 1 points 1 year ago

I actually started looking into creating own Docker images because of how bad Lemmy's Docker instructions are. I'm not even close to anything usable, though ...

[-] Burn1ngBull3t@lemmy.world 1 points 1 year ago

I understand! If you need help to do that (or someone to contribute), hit me up ! 😄

[-] Laser@feddit.de 3 points 1 year ago

I guess it depends, if it's a secret in use for the image, an attacker might use it to attack a pulled instance if the user deploying it didn't change the secret. Kind of like an unchanged initial password.

[-] moon_matter@kbin.social 1 points 1 year ago* (last edited 1 year ago)

Is this even a legitimate problem? Lots of people, myself included, have a "local" configuration. All of the services and credentials mentioned in the config are running on my personal machine for testing only during active development. None of those credentials refer to any sort of "real" service that's on 24/7 and accessible via the internet. It's effectively dummy data to the rest of the world and I imagine there are a ton of false positives like what I just described.

this post was submitted on 17 Jul 2023
216 points (99.1% liked)

Linux

47996 readers
972 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS