[Security] Data/config files are insecure in Docker image. Read permission for 'others' by default #1389

New Issue

Closed

opened 2025-10-09 17:13:41 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 17:13:41 +03:00

Owner

Copy Link

Originally created by @jsalgado78 on GitHub.

Subject of the issue

Vaultwarden data/config files are insecure. Read permission for 'others' by default

Deployment environment

Docker

Steps to reproduce

docker run -it --rm vaultwarden/server:latest
 
Save configuration from Vaultwarden admin web UI

docker exec -it ls -las /data

Expected behaviour

Data/config files should have permission 0600. Read-write to owner
config.json should be encrypted if it's possible

Actual behaviour

Files like config.json and database are created with permission 0644 by default
config.json contains admin token in plaintext

4 drwxr-xr-x. 3 root root 4096 May 3 11:05 .
8 drwxr-xr-x. 1 root root 4096 May 3 10:04 ..
4 -rw-r--r--. 1 root root 1160 May 3 10:04 config.json
164 -rw-r--r--. 1 root root 167936 May 3 10:04 db.sqlite3
32 -rw-r--r--. 1 root root 32768 May 3 11:05 db.sqlite3-shm
0 -rw-r--r--. 1 root root 0 May 3 11:05 db.sqlite3-wal
4 drwxr-xr-x. 2 root root 4096 May 3 10:04 icon_cache
4 -rw-------. 1 root root 1193 May 3 10:04 rsa_key.der
4 -rw-------. 1 root root 1679 May 3 10:04 rsa_key.pem
4 -rw-r--r--. 1 root root 270 May 3 10:04 rsa_key.pub.der

Originally created by @jsalgado78 on GitHub. ### Subject of the issue Vaultwarden data/config files are insecure. Read permission for 'others' by default ### Deployment environment Docker ### Steps to reproduce ``` docker run -it --rm vaultwarden/server:latest Save configuration from Vaultwarden admin web UI docker exec -it ls -las /data ``` ### Expected behaviour Data/config files should have permission 0600. Read-write to owner config.json should be encrypted if it's possible ### Actual behaviour Files like config.json and database are created with permission 0644 by default config.json contains admin token in plaintext 4 drwxr-xr-x. 3 root root 4096 May 3 11:05 . 8 drwxr-xr-x. 1 root root 4096 May 3 10:04 .. 4 -rw-r--r--. 1 root root 1160 May 3 10:04 config.json 164 -rw-r--r--. 1 root root 167936 May 3 10:04 db.sqlite3 32 -rw-r--r--. 1 root root 32768 May 3 11:05 db.sqlite3-shm 0 -rw-r--r--. 1 root root 0 May 3 11:05 db.sqlite3-wal 4 drwxr-xr-x. 2 root root 4096 May 3 10:04 icon_cache 4 -rw-------. 1 root root 1193 May 3 10:04 rsa_key.der 4 -rw-------. 1 root root 1679 May 3 10:04 rsa_key.pem 4 -rw-r--r--. 1 root root 270 May 3 10:04 rsa_key.pub.der

OVERLORD closed this issue 2025-10-09 17:13:41 +03:00

OVERLORD commented 2025-10-09 17:13:43 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

I'm going to move this to the discussions under Ideas, also to keep the issues for actual issues to the software.

There are also some ways to have the user-id configurable via ENV's like some other docker images of some tools provide.
Not sure if that would be a good thing for this project, but i think we are open for any good written and documented PR regarding this.

@BlackDex commented on GitHub: I'm going to move this to the discussions under `Ideas`, also to keep the issues for actual issues to the software. There are also some ways to have the user-id configurable via ENV's like some other docker images of some tools provide. Not sure if that would be a good thing for this project, but i think we are open for any good written and documented PR regarding this.

OVERLORD referenced this issue 2025-10-09 18:23:24 +03:00

[PR #1389] [MERGED] Update Alpine base images to 3.13 #3435

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1389