20 lines
1.1 KiB
Plaintext
20 lines
1.1 KiB
Plaintext
Docker offers a feature to mount files and directories for specific `RUN`
|
|
instructions when building Docker images. This feature can be used to provide
|
|
secrets to the commands that are executed during the build without baking them
|
|
into the image. Additionally, it can be used to access SSH agents during the
|
|
build.
|
|
|
|
By using the `mode` option the permissions of the secrets or agents can be
|
|
modified. By default, access is limited to the root user.
|
|
|
|
When such secrets are exposed with lax permissions, they might get compromised
|
|
during the image build process. A successful compromise can only happen during
|
|
the execution of the command the `mount` option has been added to. While this
|
|
might seem like a very hard exploitation requirement, supply chain attacks, and
|
|
other related threats, should still be considered.
|
|
|
|
If you are executing a command as a low-privileged user and need to access
|
|
secrets or agents, you can use the options `uid` and `gid` to provide access
|
|
without having to resort to world-readable or writable permissions that might
|
|
expose them to unintended parties.
|