Password Security with SQL Server on Linux and Docker

database security - SeniorDBA

With the recent release of a preview version of SQL Server for Linux and Docker, Microsoft has made it relatively easy to run SQL Server on a non-Windows platform. For example, to install and run SQL Server v.Next on Docker, according to Microsoft’s directions, you would:

  1. Pull the Docker image from Docker Hub
  2. Run the Docker image using the following command
docker run –e 'ACCEPT_EULA=Y' –e 'SA_PASSWORD=<Strong!Passw0rd>' 
-p 1433:1433 -d microsoft/mssql-server-linux

Now the accepted practice to set credentials in the stateless container is to use environment variables. You can see this in the -e parameter ‘SA_PASSWORD=<Strong!Passw0rd>’.

The potential problem with this approach is that the SA credentials will appear in the bash history. Not only this, but the credentials will also show in the output of the ps command (used to list running applications). This effectively exposes the Super User account to any admin with access to the host machine.

Be very careful as you evaluate this SQL Server preview to make sure your are installing SQL Server is securely as possible as you prepare for implementing this product in your production environment in the coming year.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s