Do not create default user if BACKUPPC_WEB_USER is empty #19
Conversation
There was a problem hiding this comment.
Thanks a lot for your PR! Indeed, this new behavior allows to construct as you wish the credentials to connect to backuppc.
Two improvements I think that would be relevant:
- first, I think we do not need to rely on emptyness for both
BACKUPPC_WEB_USERandBACKUPPC_WEB_PASSWD. I think emptyness onBACKUPPC_WEB_USERto trigger the logic. Then you do not need to specify anything forBACKUPPC_WEB_PASSWD, as it will ignored, and that makes a cleaner configuration, - second, you should add in the README a line about this, saying that you can deactivate the credentials provisioning by passing an empty string to
BACKUPPC_WEB_USER, to let people know that is possible.
Thanks in advance!
|
Also I did not catch that it was for the v3 branch. I will also integrate it on v4 once it is merged. Here I maintain my comments, as it will emerge eventually to the current branch. |
|
Actually, I copied this approach from BackupPC v4 (master) branch - docker-backuppc/files/entrypoint.sh Lines 44 to 53 in 6f552eb With v4 everything is fine, so when I discovered that problem for v3 I copied the solution. |
|
Tricked by an old PR ... For my defense, I lost PR history at some point. As it is on master, I take on my charge the actions for the comments I made if you want. |
|
Yes, please. Sorry I do not have much time on handling this - just wanted to share the solution with users who possibly hit the same problems as me. ^__^" |
Problem:
If BACKUPPC_WEB_USER environment variable is empty and we already have some configuration in
/etc/backuppc/htpasswd, then initialization script adds "backuppc" user, which overrides previous admin user.This PR fixes the problem and eliminates this security problem.