rspec/rules/S6504/docker/rule.adoc

Ownership of an executable has been assigned to a user other than root. More
often than not, resource owners have write permissions and thus can edit the
resource.

Write permissions enable malicious actors, who got a foothold on the container,
to tamper with the executable and thus manipulate the container's expected behavior. +
Manipulating executables could disrupt services or aid in escalating privileges
inside the container. +

This breaches the container immutability principle as it facilitates container
changes during its life. Immutability, a container best practice, allows for a
more reliable and reproducible behavior of Docker containers.

Resource ownership is not required; executables can be assigned execute
permissions using `chmod` if needed.


== Ask Yourself Whether

* A non-root user has write permissions for the executable.

There is a risk if you answered yes to the question.


== Recommended Secure Coding Practices

* Use `--chmod` to change executable permissions at build-time.
* Be mindful of the container immutability principle.


== Sensitive Code Example

[source,docker]
----
FROM example

RUN useradd exampleuser
# Sensitive
COPY --chown=exampleuser:exampleuser src.py dst.py
----

== Compliant Solution

[source,docker]
----
FROM example

COPY --chown=root:root --chmod=644 src.py dst.py
----

== See

* https://docs.docker.com/engine/reference/builder/#add[Dockerfile reference] - ADD instruction
* https://docs.docker.com/engine/reference/builder/#copy[Dockerfile reference] - COPY instruction
* https://cwe.mitre.org/data/definitions/732.html[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
* https://cloud.google.com/architecture/best-practices-for-operating-containers#immutability[Google Cloud, Immutability] - Best practices for operating containers


ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure no write permissions are assigned to the executable.


=== Highlighting

Highlight the executable name as primary location and the chown flag/command as secondary location.

'''
endif::env-github,rspecator-view[]
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Ownership of an executable has been assigned to a user other than root. More`
			`often than not, resource owners have write permissions and thus can edit the`
			`resource.`
Create rule S6504: Having executables not owned by root is security-sensitive (#1581) 2023-02-22 14:35:19 +01:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Write permissions enable malicious actors, who got a foothold on the container,`
			`to tamper with the executable and thus manipulate the container's expected behavior. +`
			`Manipulating executables could disrupt services or aid in escalating privileges`
			`inside the container. +`

			`This breaches the container immutability principle as it facilitates container`
			`changes during its life. Immutability, a container best practice, allows for a`
			`more reliable and reproducible behavior of Docker containers.`

			`Resource ownership is not required; executables can be assigned execute`
			permissions using `chmod` if needed.


			`== Ask Yourself Whether`

			`* A non-root user has write permissions for the executable.`

			`There is a risk if you answered yes to the question.`


			`== Recommended Secure Coding Practices`

			* Use `--chmod` to change executable permissions at build-time.
			`* Be mindful of the container immutability principle.`
Create rule S6504: Having executables not owned by root is security-sensitive (#1581) 2023-02-22 14:35:19 +01:00

			`== Sensitive Code Example`

			`[source,docker]`
			`----`
			`FROM example`

			`RUN useradd exampleuser`
			`# Sensitive`
			`COPY --chown=exampleuser:exampleuser src.py dst.py`
			`----`

			`== Compliant Solution`

			`[source,docker]`
			`----`
			`FROM example`

Modify rule S6504: Update code example (#3138) 2023-09-25 12:41:03 +02:00			`COPY --chown=root:root --chmod=644 src.py dst.py`
Create rule S6504: Having executables not owned by root is security-sensitive (#1581) 2023-02-22 14:35:19 +01:00			`----`

			`== See`

			`* https://docs.docker.com/engine/reference/builder/#add[Dockerfile reference] - ADD instruction`
			`* https://docs.docker.com/engine/reference/builder/#copy[Dockerfile reference] - COPY instruction`
			`* https://cwe.mitre.org/data/definitions/732.html[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource`
			`* https://cloud.google.com/architecture/best-practices-for-operating-containers#immutability[Google Cloud, Immutability] - Best practices for operating containers`



			`ifdef::env-github,rspecator-view[]`
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`Make sure no write permissions are assigned to the executable.`


			`=== Highlighting`

			`Highlight the executable name as primary location and the chown flag/command as secondary location.`

			`'''`
			`endif::env-github,rspecator-view[]`