trailofbits.generic.container-user-root.container-user-root

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

Found container command running as root

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: container-user-root
    message: Found container command running as root
    languages:
      - generic
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - shell
      cwe: "CWE-250: Execution with Unnecessary Privileges"
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      references:
        - https://docs.docker.com/engine/reference/commandline/run/
      license: AGPL-3.0 license
      vulnerability_class:
        - Improper Authorization
    pattern-either:
      - pattern: docker ... -u root
      - pattern: docker ... -u 0
      - pattern: docker ... --user root
      - pattern: docker ... --user 0
      - pattern: podman ... -u root
      - pattern: podman ... --u 0
      - pattern: podman ... --user root
      - pattern: podman ... --user 0

Examples

container-user-root.sh

#!/bin/bash

# ruleid: container-user-root
docker run -u root hello-world

# ruleid: container-user-root
podman run --user root hello-world

# ok: container-user-root
docker run hello-world

# ok: container-user-root
podman run hello-world