YSK: If you set up a Lemmy instance, and follow the Docker setup instructions to the letter, it will send lemmy.ml your admin password during the setup process

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨PhilipTheBucket@ponder.cat⁩ to ⁨youshouldknow@lemmy.world⁩

So if you do the Docker setup, obeying the instructions and substituting everything that needs to get substituted, but don’t proofread the files in detail and so miss that line 40 of docker-compose.yml doesn’t have the variable {{domain}} like in every other location you need to write your domain, but instead just says LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml and so fail to change it away from lemmy.ml… then, everything will work, except that when you type in your admin password for the first time, your browser will send a request to lemmy.ml which includes your admin username, your email address, and the admin password you’re trying to set. And, also, of course the home IP address of the admin setting up the server.

I have no reason at all to think the Lemmy devs have set their server up to log this information when it comes in. nginx will throw it away by default, of course, but it would be easy for them to have it save it instead, if they wanted to. And my guess is most people won’t use a different admin password once they figure out why creating their admin user isn’t working and fix it.

@dessalines@lemmy.ml I think you should fix the docker-compose.yml file not to do this.

source

Comments

Sort:hotnew top

Semi_Hemi_Demigod@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
That’s so on-character for .ml

source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  The longer I look at it the more suspicious I am of it, to be honest. I’m just kind of generally a paranoid and accusatory person, so take that into account, but… the files are pretty carefully set up. They have variable substitutions for everything, including a bunch of places where there’s a template substitution to change a string around when setting cache keys so that it’ll still work out-of-the-box right away, even in complex configurations like multiple domains on a single server. It all works out-of-the-box right away, they’ve clearly been attentive to making sure it’s all set up right and keeps working cleanly as things have been evolving forward. Except for that one place.
  
  source
  - aubeynarf@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
    this is how those Marxist Leninst nation state actors work
    
    source
  - lorty@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
    If we are entertain this idea, what could they possibly gain from this? Stealing passwords isn’t effective if the victim knows it’s been stolen.
    
    source
    -> View More Comments
- BroBot9000@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  Was just gonna say. Exactly what some authoritarian boot lickers would do.
  
  source
  - Semi_Hemi_Demigod@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    “Of course the Central Committee would have access to your instance. Why is that a problem? Are you doing something counter-revolutionary?!”
    
    source
- TachyonTele@piefed.social ⁨3⁩ ⁨weeks⁩ ago
  Im loving that there are ml users coming in and defending it lol
  
  source
  - PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
    Yeah, don’t they realize they could have just spent that time productively by making a pull request, instead?
    
    source
    -> View More Comments
  - Ephera@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
    The devs have access to the source code. Why would they put something like this two layers deep into the documentation? It’s like those people that think Mozilla is evil, because Mozilla openly talks about what they’re doing. If they wanted to be evil, you would know jackshit about it.
    
    source
    -> View More Comments
- lorty@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
  Why are you assuming malice when this is probably just a mistake/oversight?
  
  source
  - socsa@piefed.social ⁨3⁩ ⁨weeks⁩ ago
    Because of the way Dessalines and Nutomic consistently act?
    
    Watch. They won't apologize or admit wrongdoing here. They never do.
    
    source
    -> View More Comments
  - Semi_Hemi_Demigod@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Because “when someone shows you who they are, believe them the first time .”
    
    source
    -> View More Comments
  - DeathByBigSad@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
    en.wikipedia.org/wiki/XZ_Utils_backdoor
    
    source
    -> View More Comments
  - cm0002@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Uh huh, just like how the instance/user block being horribly implemented to where it’s just a barely functional mute is just a (4 year) “oversight”
    
    lemmy.world/post/29072279
    
    source
- OpenStars@piefed.social ⁨3⁩ ⁨weeks⁩ ago
  We are using their tools though...
  
  Well, you are, while I am on PieFed:-P If you do not like what you've heard here, then consider switching to Piefed.World (Lemmy.World's recently-announced PieFed replacement for Lemmy)
  
  source
  - tal@lemmy.today ⁨3⁩ ⁨weeks⁩ ago
    Oh, that’s interesting. Didn’t know about that.
    
    I don’t think that there’s a way to list instances that a PieFed instance has defederated from, unlike Lemmy; while both have a list of instances at /instances, only Lemmy indicates which ones have been defederated from. It was a helpful tool to help me guess the sort of content an instance had.
    
    Like:
    
    lemmy.world/instances
    
    piefed.world/instances
    
    source
    -> View More Comments
- umbrella@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
  [deleted]
  source
  - Bloomcole@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    They are more anti - ml than their beloved ww2 nazi examples.
    You can feel them foaming at the mouth.
    
    source
starman@programming.dev ⁨3⁩ ⁨weeks⁩ ago
You should edit your post with link to this PR - it’s fixed now

github.com/LemmyNet/lemmy-docs/pull/379

source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  Edited.
  
  source
  - starman@programming.dev ⁨3⁩ ⁨weeks⁩ ago
    Thanks
    
    source
AusatKeyboardPremi@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Thank you for discovering this, and creating awareness around it.

Seems like a genuine miss, contrary to what the comments here would have one believe, given that the compose file (and rest of the docs) were mostly derived from whatever worked for the developers themselves.

source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  
  Seems like a genuine miss, contrary to what the comments here would have one believe,
  
  You might be right. I looked at the history and the way it came in, and it’s not as wildly anomalous to the rest of the file when looked at in context. Maybe it’s just a mistake.
  
  source
  - A_Random_Idiot@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    When it comes to tankies/rightwing/etc/etc I always assume a Reverse Hanlons Razor. Never attribute to stupidity what can be adequately explained by malice.
    
    source
  - mojofrododojo@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    if it was inadvertent you’d think someone at the receiving address would have spoken up…
    
    source
    -> View More Comments
Azzu@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
Why make a Lemmy post about this and not just a GitHub issue?

source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  I think it should be more public knowledge than just people who peruse the github issues. Also, it’s so trivial to fix that it will save them some time if they don’t have to close the issue after they spend literally 10-15 seconds fixing it.
  
  source
  - limer@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
    I think you should also make a GitHub issue too
    
    source
    -> View More Comments
  - Azzu@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
    There is no other reason to do it like this in a Lemmy post other than you want to publicly discredit the devs somehow. This is quite obviously a mistake and not a way to harvest admin passwords. Just fixing it and not trying to stir up shit would have been the right thing to do.
    
    source
    -> View More Comments
- finitebanjo@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  Because the main Lemmy devs are authoritarian assholes.
  
  source
- southsamurai@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
  Just for the hell of it, I don’t know about OP, but I don’t even know how to.
  
  I went to the relevant linked section and couldn’t find a way to raise an issue directly. I’m going to try again, and if I succeed I’ll return here and make a top level comment for anyone scrolling by and wondering. I’ve never tried to do this before, so I’ll see how it goes.
  
  source
  - Azzu@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
    OP managed to find the bug. He knows how to fix it. Obviously he’d know how to make an issue about it, and probably even know how to contribute his fix that he already made in the official way to the open source project.
    
    You do not possess these skills so obviously you’re not the one who should make the issue.
    
    Yet he decided to somehow create this public post highlighting something that could be sketchy to try to publicly discredit the devs. There is no other reason to do it like this.
    
    source
    -> View More Comments
- lorty@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
  Why try to fix the issue if you can just farm some drama?
  
  source
davidgro@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
This is fixed now.

source
DeathByBigSad@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
Bruh

Now I have trust issues with open source programs.

points glock at VLC Media Player

“WHO THE FUCK DO YOU WORK FOR? TRYING TO JUMPSCARE ME?”

💥🔫
💥🔫
💥🔫
💥🔫
💥🔫
💥🔫

source
- Stovetop@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  I’m reminded of stories I’ve heard of graduate students hiding a note and some cash in the pages of their theses that they submit to the university, just to see if anyone bothers reading it and takes the cash. They return years later to find it still there.
  
  With open source, the code is all there ready for review by anyone, as long as you have the technical knowhow and patience to review the code you use. But like reading the terms and conditions for everything we use, how many people actually take the time to go through all that code?
  
  source
  - Saleh@feddit.org ⁨3⁩ ⁨weeks⁩ ago
    Some people do and at least you can, which makes it much better than proprietary software, where it is impossible to find out, if they didn’t include a direct pipeline to whatever three letter agency asked them to do it.
    
    source
- n3m37h@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
  Quick, Louis Rossmann next! Who knows who that off the rail New Yarker will do next!
  
  source
socsa@piefed.social ⁨3⁩ ⁨weeks⁩ ago
The funny part about this post is that @dessalines@lemmy.ml literally will not post on this instance (or most instances besides the tankie triad) because he is a coward.

source
- MotoAsh@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  You speak truth, and the proof is that coward will not even aknowledge this news. Mark my words… tankies are just fascists of a different degeneracy.
  
  source
  - zeca@lemmy.eco.br ⁨3⁩ ⁨weeks⁩ ago
    They did acknowledge and fix it.
    
    source
    -> View More Comments
  - Mouette@jlai.lu ⁨3⁩ ⁨weeks⁩ ago
    If there’s one tribal degenerate here it’s you my friend. They fixed this minor issue that’s been turned into a big conspiracy by you degenerate while there’s 0 actual consequence or admin saying they’ve been hacked. Please get away from internet, speak to people in real life and come back when you’re socially adpated.
    
    source
    -> View More Comments
- INHALE_VEGETABLES@aussie.zone ⁨3⁩ ⁨weeks⁩ ago
  spits on @dessalines@lemmy.ml
  
  source
Rentlar@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
Good catch, seems like an oversight.

source
AlteredEgo@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
Oh no, the secret plot of the tankies for world domination has been unmasked!

source
narr1@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
there seem to be a lot of typical .world sheep in these comments

source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  I know, we don’t want our software sending our critical stuff to the trusted good leader, and we don’t feel like participating in places where only the leader’s viewpoint is acceptable. Unlike the non-sheep, who are fine with both those things apparently, because who wouldn’t trust the good leader.
  
  source
  - narr1@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
    nah, more like jumping on the bandwagon to shit on anyone conforming our presupposed biases. but sure, whatever
    
    source
    -> View More Comments
burgerpocalyse@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
ope, just gonna squeeze on through this minefield, dont mind me

source
Hawk@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
Yeah this hit me as well and it was very confusing until I found that lemmy.ml

I can’t find it [on the main branch] (github.com/LemmyNet/lemmy/…/docker-compose.yml) so I didn’t raise am issue

source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  Did you use a different admin password when you did the new setup after fixing it? If not, I think you should change your admin password.
  
  source
  - Hawk@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
    That’s right, one should. However, I’m using this only as an internal documentation tool, There’s no port forward and it’s not public. I am literally using it to take notes on a few things I’m developing.
    
    It’s actually really nice being able to drop a whole bunch of links and have them threaded and linked between each other. It works quite well.
    
    source
- Jakeroxs@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
  So it’s not in the repo, where did you get the compose? This smells like bullshit
  
  source
  - PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
    The live docs at:
    
    join-lemmy.org/docs/…/install_docker.html
    
    Link to:
    
    raw.githubusercontent.com/…/docker-compose.yml
    
    Which is what needs to be updated.
    
    source
    -> View More Comments
  - Hawk@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
    In not the OP but I hit the same issue.
    
    source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  The relevant repo is:
  
  github.com/LemmyNet/lemmy-docs
  
  If you wanted to submit a PR, I think that would be a good idea. I’ve posted the patch elsewhere in the comments.
  
  source
- salmoura@lemmy.eco.br ⁨3⁩ ⁨weeks⁩ ago
  That seems like a mistake in the design of the compose file mentioned (not using the “{{ domain }}” pattern in the LEMMY_UI_LEMMY_EXTERNAL_HOST environment variable) in the docs and a case of the documentation not being explicit about what needs to be changed (they refer to that variable in the README of the Lemmy UI repo when you read about the config file mentioned in the docs).
  
  source
  - Hawk@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
    Yeah, without a doubt, it’s just an oversight.
    
    There’s nothing malicious here.
    
    I should have read the docker compose a bit closer when I was trying to figure it out but There’s only so many hours in the day, and sometimes you rush.
    
    source
  - uranibaba@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Here is the commit github.com/…/b3bd2afd6af18e71048ade7e82b541ff903a…
    
    It creates the docker file and updates the docs to (among other things) point to the he file, the old being raw.githubusercontent.com/…/docker-compose.yml.
    
    I wonder why it does not point to the main repo. The PR does not discuss the it. github.com/LemmyNet/lemmy-docs/pull/315
    
    source
- obviouspornalt@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
  
  I can’t find it on the main branch
  
  Isn’t that even more suspicious?
  
  What branch is OP’s build from if not main?
  
  source

Cyberflunk@lemmy.world ⁨3⁩ ⁨weeks⁩ ago

Can you point to a repository somewhere?

source

PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago

--- a/docker-compose.yml	2025-07-12 00:17:33.050443300 +0000
+++ b/docker-compose.yml	2025-07-12 00:18:21.038972526 +0000
@@ -37,7 +37,7 @@
     image: dessalines/lemmy-ui:0.19.12
     environment:
       - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.ml
+      - LEMMY_UI_LEMMY_EXTERNAL_HOST={{ domain }}
       - LEMMY_UI_HTTPS=true
     volumes:
       - ./volumes/lemmy-ui/extra_themes:/app/extra_themes

source

Cyberflunk@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Thank you!

source

towerful@programming.dev ⁨3⁩ ⁨weeks⁩ ago
I really wish there was a way to enforce transparency of docker env vars.
I get that it’s impossible to make it a part of docker, env vars get parsed by code and turned into variables. There is no way that docker can enforce it, cause a null/undefined check with a default value is all that would be needed to subvert checks by docker, and every language uses a different way to check env vars (eg .env files, environment init scripts, whatever).
And even then, the env var value could be passed through a ridiculous chain of assignments and checks.
And, some of those ‘get env var’ routines could be conditional. Not all projects capture all env vars during some initial routine.

I’ve spent hours (maybe days) trawling through undocumented env vars trying to figure out their purpose, in order to leverage them in docker/k8s stacks.
I wish there was something.

Thankfully, a bit of time spent with a FOSS project and reviewing the code does shed light on hidden env vars.
And a PR or 2 gets comments and documentation updated.
Open source is awesome

source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  Yeah, I honestly just strongly dislike the whole Docker ethos. It was designed for one thing (deployment at scale), at which it excelled, and then everyone uses it for a different thing (reproducible one-off deployment), at which it is fine, basically, but just kind of the minimum set of capabilities to get the job done.
  
  Nix can do what Docker does, in a much superior fashion (lower disk space, much better transparency, rollback ability, lack of towering chains of follow-on effects as you are talking about, and applications outside of mucking around with containerized images), but for some reason everyone uses Docker, and Nix is as far as I can tell unused outside of NixOS.
  
  Whatever. When they make me king, it’ll be different, that’s all I can say.
  
  source
  - theherk@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Nix and Docker / container runtimes are completely different animals. Each is good at what they do, but those are vastly different things, with some overlap. If you want to share a kernel but use fewer resources than a VM, containers can do that. If you want to go further and completely isolate, you can use microvm’s like firecracker.
    
    I don’t follow what is wrong with that. Maybe you mean it’s use where people use it specifically as a package manager. I agree with that, but even then it has its handy place.
    
    source
    -> View More Comments
Treczoks@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
“Accidentally”

source
Pratai@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Why am I not surprised.

source
- JackbyDev@programming.dev ⁨3⁩ ⁨weeks⁩ ago
  Because people make mistakes and nobody is perfect and even paid software has problems?
  
  source
  - vrighter@discuss.tchncs.de ⁨3⁩ ⁨weeks⁩ ago
    oh for fuck’s sake. A mistake is rendering the wrong emoji. Sending your password to elsewhere is inexcusable
    
    source
    -> View More Comments
uranibaba@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Do you have a link to the file you used which has this problem?

source
- PhilipTheBucket@ponder.cat ⁨3⁩ ⁨weeks⁩ ago
  github.com/LemmyNet/…/docker-compose.yml
  
  source
LemmyBeMyself@lemmybefree.net ⁨3⁩ ⁨weeks⁩ ago
Yes, there are still some problems with the self-hosting docs

source