From a60b4b6ac21b55a901c0a5a09d779c9023af8caa Mon Sep 17 00:00:00 2001 From: Michael Schiemer Date: Mon, 3 Nov 2025 01:05:13 +0100 Subject: [PATCH] fix: Allow root to read Docker Secret files with restrictive permissions - Remove is_readable() check when running as root - Root can read files even with 0700 permissions - Should fix issue where REDIS_PASSWORD file exists but is not readable (0700, owner 1000, process 0) - Docker secrets may have restrictive permissions that root can bypass --- src/Framework/Config/DockerSecretsResolver.php | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/Framework/Config/DockerSecretsResolver.php b/src/Framework/Config/DockerSecretsResolver.php index 09d826f4..ec60ed0c 100644 --- a/src/Framework/Config/DockerSecretsResolver.php +++ b/src/Framework/Config/DockerSecretsResolver.php @@ -55,11 +55,25 @@ final readonly class DockerSecretsResolver $file = FilePath::create($filePath); - if (!$file->exists() || !$file->isReadable()) { + if (!$file->exists()) { return null; } - $content = file_get_contents($file->toString()); + // Try to read the file content + // Even if is_readable() returns false, we may still be able to read it + // (e.g., if running as root, or if permissions allow via group/other) + $filePathString = $file->toString(); + + // Only skip if definitely not readable AND not running as root + $isRoot = function_exists('posix_geteuid') && posix_geteuid() === 0; + if (!$file->isReadable() && !$isRoot) { + // Not readable and not root, can't read it + return null; + } + + // Try to read the file content (suppress warnings, we'll check for false) + // Root can read files even with restrictive permissions + $content = @file_get_contents($filePathString); if ($content === false) { return null;