dockerfile.security.last-user-is-root.last-user-is-root

returntocorp

Author

unknown

Download Count*

License

The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: last-user-is-root
    patterns:
      - pattern-inside: |
          USER $F
          ...
          USER $X
      - pattern-not-inside: |
          ...
          USER $X
          ...
          USER $F
      - focus-metavariable: $X
      - metavariable-regex:
          metavariable: $X
          regex: ^(root)$
      - metavariable-regex:
          metavariable: $F
          regex: (.*(?!root))
    message: The last user in the container is 'root'. This is a security hazard
      because if an attacker gains control of the container they will have root
      access. Switch back to another user after running commands as 'root'.
    severity: ERROR
    languages:
      - dockerfile
    metadata:
      cwe:
        - "CWE-269: Improper Privilege Management"
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3002
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3002
      category: security
      technology:
        - dockerfile
      confidence: MEDIUM
      owasp:
        - A04:2021 - Insecure Design
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

last-user-is-root.dockerfile

FROM busybox


RUN git clone https://github.com/returntocorp/semgrep
RUN pip3 install semgrep
RUN semgrep -f p/xss
USER swuser
# ruleid: last-user-is-root
USER root

Short Link: https://sg.run/5Z43