Shared Host User Namespace

  • Query id: 8af7162d-6c98-482f-868e-0d33fb675ca8
  • Query name: Shared Host User Namespace
  • Platform: DockerCompose
  • Severity: Medium
  • Category: Resource Management
  • CWE: 668
  • URL: Github

Description

The host's user namespace should not be shared.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: "3"

services:
  service1:
    image: service1:3.4
    hostname: servicer
    network_mode: host
    pid: host
    userns_mode: host
    privileged: true

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: "3.9"

services:
  webapp:
    build:
      context: ./
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1
    ports:
      - "8080:8080"
      - "3000:3000"
    security_opt:
      - apparmor:unconfined
Negative test num. 2 - yaml file
version: "3.9"

services:
  webapp:
    build:
      context: ./
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1
    ports:
      - "8080:8080"
      - "3000:3000"
    security_opt:
      - apparmor:unconfined
    userns_mode: anything_but_host