[BUG] SUDO_PASSWORD_HASH from docker secret fails if hash contains '/'

[skaiser]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Setting a SUDO_PASSWORD_HASH value that has a / character results in either an incorrect value being set OR the error: sed: -e expression #1, char 88: unterminated `s' command when trying to set the value in /etc/shadow.

root/etc/s6-overlay/s6-rc.d/init-openvscode-server/run:

docker-openvscode-server/root/etc/s6-overlay/s6-rc.d/init-openvscode-server/run

Line 14 in 0775b01

sed -i "s|^abc:\!:|abc:${SUDO_PASSWORD_HASH}:|" /etc/shadow

Changing that line to this works:
sed -i "s|^abc:\!:|abc:$(echo "${SUDO_PASSWORD_HASH}" | sed 's|/|\\/|g'):|" /etc/shadow

Expected Behavior

Setting a SUDO_PASSWORD_HASH value that has a / character correctly sets the password hash in /etc/shadow

Steps To Reproduce

1. Create password hash in secret file (plain text value is 'password' in order to repro)

echo '$y$j9T$tcfKa/ZPa7BItu/yD8d.g1$ltS7XCkWm7Gq2CwtKQB9QOywCvZP99vE146fMZPU6TA'  > secrets/SUDO_PASSWORD_HASH 

Note: escaping the $ and / characters here does not work when using secret as it does when passing the value as a command line arg (e.g., -e SUDO_PASSWORD_HASH="\$y\$j9T\$tcfKa/ZPa7BItu/yD8d.g1\$ltS7XCkWm7Gq2CwtKQB9QOywCvZP99vE146fMZPU6TA").

docker secret create SUDO_PASSWORD_HASH secrets/SUDO_PASSWORD_HASH

docker run --rm \
  --secret SUDO_PASSWORD_HASH \
  -e FILE__SUDO_PASSWORD_HASH=/run/secrets/SUDO_PASSWORD_HASH \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 127.0.0.1:3000:3000 \
  lscr.io/linuxserver/openvscode-server:latest

root@1d0f768fd89b:/# cat /etc/shadow
root:*:20182:0:99999:7:::
...
abc:!:20193:0:99999:7:::

Environment

- OS: Mac Sonoma 14.4
- How docker service was installed: Standard docker install

CPU architecture

arm64

Docker creation

docker run --rm \
  --secret SUDO_PASSWORD_HASH \
  -e FILE__SUDO_PASSWORD_HASH=/run/secrets/SUDO_PASSWORD_HASH \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 127.0.0.1:3000:3000 \
  lscr.io/linuxserver/openvscode-server:latest

Container logs

[migrations] started
[migrations] no migrations found
[env-init] Your secret: FILE__SUDO_PASSWORD_HASH
           contains a trailing newline and may not work as expected
[env-init] SUDO_PASSWORD_HASH set from FILE__SUDO_PASSWORD_HASH
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 1.98.2-ls168
Build-date: 2025-04-19T06:51:11+00:00
───────────────────────────────────────
    
setting up sudo access
adding abc to sudoers
setting sudo password using sudo password hash
sed: -e expression #1, char 88: unterminated `s' command
setting permissions::config
setting permissions::app
[custom-init] No custom files found, skipping...
**** No connection token is set ****
Server bound to 0.0.0.0:3000 (IPv4)
Extension host agent listening on 3000

[19:25:43] 




Web UI available at http://localhost:3000
[19:25:43] Extension host agent started.
[19:25:43] Started initializing default profile extensions in extensions installation folder. file:///config/.openvscode-server/extensions
[19:25:43] Completed initializing default profile extensions in extensions installation folder. file:///config/.openvscode-server/extensions
Connection to 127.0.0.1 3000 port [tcp/*] succeeded!
[ls.io-init] done.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.