dockerfile.security.last-user-is-root.last-user-is-root

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: last-user-is-root
    patterns:
      - pattern: USER root
      - pattern-not-inside:
          patterns:
            - pattern: |
                USER root
                ...
                USER $X
            - metavariable-pattern:
                metavariable: $X
                patterns:
                  - pattern-not: root
    message: The last user in the container is 'root'. This is a security hazard
      because if an attacker gains control of the container they will have root
      access. Switch back to another user after running commands as 'root'.
    severity: ERROR
    languages:
      - dockerfile
    metadata:
      cwe:
        - "CWE-269: Improper Privilege Management"
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3002
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3002
      category: security
      technology:
        - dockerfile
      confidence: MEDIUM
      owasp:
        - A04:2021 - Insecure Design
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization

Examples

last-user-is-root.dockerfile

FROM busybox


RUN git clone https://github.com/returntocorp/semgrep
RUN pip3 install semgrep
RUN semgrep -f p/xss
USER swuser
USER root

USER user1
# ruleid: last-user-is-root
USER root