fix: Allow root to read Docker Secret files with restrictive permissions

- Remove is_readable() check when running as root - Root can read files even with 0700 permissions - Should fix issue where REDIS_PASSWORD file exists but is not readable (0700, owner 1000, process 0) - Docker secrets may have restrictive permissions that root can bypass
2025-11-03 01:05:13 +01:00
parent 4be249a57b
commit a60b4b6ac2
1 changed files with 16 additions and 2 deletions
--- a/src/Framework/Config/DockerSecretsResolver.php
+++ b/src/Framework/Config/DockerSecretsResolver.php
@@ -55,11 +55,25 @@ final readonly class DockerSecretsResolver

            $file = FilePath::create($filePath);

-            if (!$file->exists() || !$file->isReadable()) {
+            if (!$file->exists()) {
                return null;
            }

-            $content = file_get_contents($file->toString());
+            // Try to read the file content
+            // Even if is_readable() returns false, we may still be able to read it
+            // (e.g., if running as root, or if permissions allow via group/other)
+            $filePathString = $file->toString();
+            
+            // Only skip if definitely not readable AND not running as root
+            $isRoot = function_exists('posix_geteuid') && posix_geteuid() === 0;
+            if (!$file->isReadable() && !$isRoot) {
+                // Not readable and not root, can't read it
+                return null;
+            }
+
+            // Try to read the file content (suppress warnings, we'll check for false)
+            // Root can read files even with restrictive permissions
+            $content = @file_get_contents($filePathString);

            if ($content === false) {
                return null;