Chown Flag Exists
- Query id: aa93e17f-b6db-4162-9334-c70334e7ac28
- Query name: Chown Flag Exists
- Platform: Dockerfile
- Severity: Low
- Category: Best Practices
- CWE: 282
- URL: Github
Description¶
It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY --chown=patrick:patrick app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]