Ownership or write permissions for a file or directory copied to the Docker image have been assigned to a user other than root.
Write permissions enable malicious actors, who have a foothold on the container, to tamper with the resource and thus potentially manipulate the
container’s expected behavior.
Manipulating files could disrupt services or aid in escalating privileges inside the container.
This also breaches the container immutability principle as it facilitates container changes during its life. Immutability, a container best
practice, allows for a more reliable and reproducible behavior of Docker containers.
If a user is given ownership on a file but no write permissions, the user can still modify it by using his ownership to change the file permissions
first. This is why both ownership and write permissions should be avoided.
Ask Yourself Whether
- A non-root user owns the resource.
- A non-root user has been granted write permissions for the resource.
There is a risk if you answered yes to any of these questions.
Recommended Secure Coding Practices
- Use
--chmod to change the permissions so that only root users can write to files.
- Use
--chown to change the file/directory owner to a root user.
- Be mindful of the container immutability principle.
Sensitive Code Example
FROM example
RUN useradd exampleuser
# Sensitive
COPY --chown=exampleuser:exampleuser src.py dst.py
Compliant Solution
FROM example
COPY --chown=root:root --chmod=755 src.py dst.py
See
