✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.3.4 Config Write Protection

A focused guide to Config Write Protection, connecting core concepts with practical Docker and container operations.

Config write protection ensures an application's configuration files remain unmodifiable at runtime, an important specific application of a read-only filesystem strategy, since configuration tampering is a particularly consequential category of unauthorized modification a compromised process might otherwise attempt.

Why Configuration Files Are a Particularly Sensitive Target

Modifying an application's configuration could allow a compromised process to redirect the application's behavior — pointing it at a malicious external service, disabling a security feature, or otherwise subverting its intended operation.

docker exec myapp cat /app/config.yaml

Protecting this kind of file from runtime modification specifically guards against this particular category of compromise consequence.

Ensuring Configuration Lives on a Read-Only Path

Keeping configuration files within the container's otherwise read-only root filesystem, rather than within a separately writable mount, ensures they benefit from this same immutability guarantee.

docker run --read-only -v app-uploads:/app/uploads myapp:1.0

Here, /app/config.yaml (assuming it's not under /app/uploads) remains read-only, while only the specifically designated uploads path is writable.

Why This Differs From Externally Supplied, Legitimately Updatable Configuration

A legitimate configuration update should happen through redeploying the container with updated configuration, not through in-place runtime modification — config write protection specifically targets unauthorized, in-place tampering, not the application's normal configuration update process.

docker compose up -d --force-recreate api

This is the appropriate way to apply a genuine, intentional configuration change, rather than modifying the file directly within a running container.

Verifying Configuration Tampering Is Actually Blocked

Testing that an attempted runtime modification to a configuration file actually fails confirms this protection is correctly in effect.

docker exec myapp sh -c "echo 'malicious: true' >> /app/config.yaml"

sh: can't create temporary file: Read-only file system
Why Config Write Protection Matters

Specifically ensuring configuration files remain unmodifiable at runtime closes off a particularly consequential avenue a compromised process might otherwise use to subvert an application's intended behavior, making this an especially valuable application of the broader read-only filesystem strategy.

Related content