54 lines
1.1 KiB
Plaintext
54 lines
1.1 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
[source,docker]
|
||
|
|
----
|
||
|
|
FROM example
|
||
|
|
|
||
|
|
RUN useradd exampleuser
|
||
|
|
# Sensitive
|
||
|
|
COPY --chown=exampleuser:exampleuser src.py dst.py
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
[source,docker]
|
||
|
|
----
|
||
|
|
FROM example
|
||
|
|
|
||
|
|
COPY src.py dst.py
|
||
|
|
----
|
||
|
|
|
||
|
|
== See
|
||
|
|
|
||
|
|
* https://docs.docker.com/engine/reference/builder/#add[Dockerfile reference] - ADD instruction
|
||
|
|
* https://docs.docker.com/engine/reference/builder/#copy[Dockerfile reference] - COPY instruction
|
||
|
|
* https://cwe.mitre.org/data/definitions/732.html[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
|
||
|
|
* https://cloud.google.com/architecture/best-practices-for-operating-containers#immutability[Google Cloud, Immutability] - Best practices for operating containers
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
ifdef::env-github,rspecator-view[]
|
||
|
|
'''
|
||
|
|
== Implementation Specification
|
||
|
|
(visible only on this page)
|
||
|
|
|
||
|
|
=== Message
|
||
|
|
|
||
|
|
Make sure no write permissions are assigned to the executable.
|
||
|
|
|
||
|
|
|
||
|
|
=== Highlighting
|
||
|
|
|
||
|
|
Highlight the executable name as primary location and the chown flag/command as secondary location.
|
||
|
|
|
||
|
|
'''
|
||
|
|
endif::env-github,rspecator-view[]
|
||
|
|
|
||
|
|
|