rspec/rules/S6469/docker/rule.adoc

== Why is this an issue?

Docker offers a feature to mount files and directories for specific `RUN`
instructions when building Docker images. This feature can be used to provide
secrets to the commands that are executed during the build without baking them
into the image. Additionally, it can be used to access SSH agents during the
build.

By using the `mode` option the permissions of the secrets or agents can be
modified. By default, access is limited to the root user.

When such secrets are exposed with lax permissions, they might get compromised
during the image build process. A successful compromise can only happen during
the execution of the command the `mount` option has been added to. While this
might seem like a very hard exploitation requirement, supply chain attacks, and
other related threats, should still be considered.

If you are executing a command as a low-privileged user and need to access
secrets or agents, you can use the options `uid` and `gid` to provide access
without having to resort to world-readable or writable permissions that might
expose them to unintended parties.


=== Noncompliant code example

[source,docker]
----
RUN --mount=type=secret,id=build_secret,mode=0777 ./installer.sh # Noncompliant
----

=== Compliant solution

[source,docker]
----
RUN --mount=type=secret,id=build_secret,uid=1000 ./installer.sh
----

== Resources

* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
* https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Dockerfile reference] - RUN --mount


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

For secret:

 * Remove world permissions for this sensitive file.

For ssh:

 * Remove world permissions for this sensitive agent.


'''
endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			Docker offers a feature to mount files and directories for specific `RUN`
			`instructions when building Docker images. This feature can be used to provide`
			`secrets to the commands that are executed during the build without baking them`
			`into the image. Additionally, it can be used to access SSH agents during the`
			`build.`

			By using the `mode` option the permissions of the secrets or agents can be
			`modified. By default, access is limited to the root user.`

			`When such secrets are exposed with lax permissions, they might get compromised`
			`during the image build process. A successful compromise can only happen during`
			the execution of the command the `mount` option has been added to. While this
			`might seem like a very hard exploitation requirement, supply chain attacks, and`
			`other related threats, should still be considered.`

			`If you are executing a command as a low-privileged user and need to access`
			secrets or agents, you can use the options `uid` and `gid` to provide access
			`without having to resort to world-readable or writable permissions that might`
			`expose them to unintended parties.`

Create rule S6469: Permissions of sensitive mount points should be restrictive (#1394) 2022-11-18 14:47:39 +01:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Create rule S6469: Permissions of sensitive mount points should be restrictive (#1394) 2022-11-18 14:47:39 +01:00
			`[source,docker]`
			`----`
			`RUN --mount=type=secret,id=build_secret,mode=0777 ./installer.sh # Noncompliant`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Create rule S6469: Permissions of sensitive mount points should be restrictive (#1394) 2022-11-18 14:47:39 +01:00
			`[source,docker]`
			`----`
			`RUN --mount=type=secret,id=build_secret,uid=1000 ./installer.sh`
			`----`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== Resources`

			`* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource`
			`* https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Dockerfile reference] - RUN --mount`

Create rule S6469: Permissions of sensitive mount points should be restrictive (#1394) 2022-11-18 14:47:39 +01:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`For secret:`

			`* Remove world permissions for this sensitive file.`

			`For ssh:`

			`* Remove world permissions for this sensitive agent.`

Create rule S6469: Permissions of sensitive mount points should be restrictive (#1394) 2022-11-18 14:47:39 +01:00

			`'''`
			`endif::env-github,rspecator-view[]`