SQ40101
Detected container images configured to run with administrative privileges.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | medium | None | None |
About the issueโ
Containers are a simple, yet powerful approach to process and filesystem isolation. When configured correctly, a container runs a set of processes isolated from their host system. Containers typically run as executables or as services, but regardless of their use, they must be properly secured. One security concept that fosters isolation is the principle of least privilege, meaning that a container should be given only those privileges needed to complete its task. Containers without a configured user identity will run as root, meaning that any kind of container compromise (both remote and local) will give administrative access to the entire container, its processes, and filesystem.
How to resolve the issueโ
- If a service can run without privileges, create a specific user (with commands like 'groupadd' and 'useradd' on Linux, and 'net user' on Windows), and then switch to the non-root user with the 'USER' Dockerfile instruction.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Dockerfile Reference - USER (External resource - Docker)
- Processes In Containers Should Not Run As Root (External resource - Medium)