Chown Flag Exists

• Query id: aa93e17f-b6db-4162-9334-c70334e7ac28
• Query name: Chown Flag Exists
• Platform: Dockerfile
• Severity: Low
• Category: Best Practices
• CWE: 282
• URL: Github

Description

It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file

FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY --chown=patrick:patrick app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]