Chown Flag Exists

  • Query id: aa93e17f-b6db-4162-9334-c70334e7ac28
  • Query name: Chown Flag Exists
  • Platform: Dockerfile
  • Severity: Low
  • Category: Best Practices
  • URL: Github

Description

It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY --chown=patrick:patrick app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]