Last User Is 'root'

• Query id: 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae
• Query name: Last User Is 'root'
• Platform: Dockerfile
• Severity: High
• Category: Best Practices
• CWE: 250
• URL: Github

Description

Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file

FROM alpine:2.6
USER root
RUN npm install

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM alpine:2.6
USER root
RUN npm install
USER guest

Negative test num. 2 - dockerfile file

FROM golang:1.16 AS builder
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html  
COPY app.go    ./
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
USER root

FROM alpine:latest  
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /go/src/github.com/foo/href-counter/app ./
CMD ["./app"]
RUN useradd -ms /bin/bash patrick

USER patrick