Ownership of an executable has been assigned to a user other than root. More often than not, resource owners have write permissions and thus can
edit the resource.
Write permissions enable malicious actors, who got a foothold on the container, to tamper with the executable and thus manipulate the container’s
expected behavior.
Manipulating executables could disrupt services or aid in escalating privileges inside the container.
This breaches the container immutability principle as it facilitates container changes during its life. Immutability, a container best practice,
allows for a more reliable and reproducible behavior of Docker containers.
Resource ownership is not required; executables can be assigned execute permissions using chmod if needed.
Ask Yourself Whether
- A non-root user has write permissions for the executable.
There is a risk if you answered yes to the question.
Recommended Secure Coding Practices
- Use
--chmod to change executable permissions at build-time.
- Be mindful of the container immutability principle.
Sensitive Code Example
FROM example
RUN useradd exampleuser
# Sensitive
COPY --chown=exampleuser:exampleuser src.py dst.py
Compliant Solution
FROM example
COPY --chown=root:root --chmod=644 src.py dst.py
See
