SQ40102
Detected container images that contain files with setuid or setgid permissions.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
pass | medium | medium | None | None |
About the issueโ
Containers are a simple, yet powerful approach to process and filesystem isolation. When configured correctly, a container runs a set of processes isolated from their host system. Containers typically run as executables or as services, but regardless of their use, they must be properly secured. One security concept that fosters isolation is the principle of least privilege, meaning that a container should be given only those privileges needed to complete its task. Executables with setuid or setgid permissions can increase the attack surface for privilege escalation attacks.
How to resolve the issueโ
- When possible, remove any unnecessary permissions on executable files, e.g. by running 'chmod' near the end of your Dockerfile.
Recommended readingโ
- Linux permissions: SUID, SGID, and sticky bit (External resource - Red Hat)
- Privilege escalation (External resource - Wikipedia)