So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don’t proofread the files in detail and so miss that line 40 of docker-compose.yml doesn’t have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so you fail to change it away from lemmy.ml… then, everything will work, until you type in your admin password for the first time, at which point your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you’re trying to set. And, also, of course your IP address wherever you are sitting and setting up the server.
I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won’t use a different admin password once they figure out why creating their admin user isn’t working and fix it.
@[email protected] @[email protected] I think you should fix the docker-compose.yml file not to do this.
Edit: Just to increase the information-to-rudeness ratio of my post. The docs are at:
https://join-lemmy.org/docs/administration/install_docker.html
And they recommend using wget to download:
https://raw.githubusercontent.com/LemmyNet/lemmy-docs/main/assets/docker-compose.yml
Which is pulled from:
https://github.com/LemmyNet/lemmy-docs/tree/main/assets
Which is what has the wrong line 40 in it.
If we are entertain this idea, what could they possibly gain from this? Stealing passwords isn’t effective if the victim knows it’s been stolen.
Entertaining the idea… Lol
Do you think OP is making it up?
I assume they just mean the idea that is malicious and not just stupidity.
Neither is good
Yeah but one is typically significantly easier to deal with non-violently.
I think it would be very rare that people would put two and two together to realize that their password had been “stolen” by this event. Like I say, I have no real idea even if it is being stolen, just that it would be trivial for .ml to decide that they wanted to start keeping a little cache of everyone’s admin email addresses and passwords.
Like someone else said, if it was anyplace other than lemmy.ml, I wouldn’t give it a second thought, it would just be “whoa you gotta fix this.” I sort of agree with you that there’s not even really any strong indication that there’s anything all that bad they could do with it. It’s only because lemmy.ml moderation actions already have such a pattern of authoritarian dishonesty that I get to any degree paranoid or alarmed about it.
That’s just it. Someone might not realize that all that info was passed to the server when it failed if they weren’t thinking about it. They’d just correct their mistake and move on with their day, especially if they’re new to server administration as I’m sure many (not necessarily most) Lemmy admins would be.
“What could they possibly gain from having keys to the kingdom?”
rofl! Continue proving how absolutely brainless bootlickers are… It’s a good fit for you.