16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
66 lines
1.5 KiB
Plaintext
66 lines
1.5 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* The container is designed to be a multi-user environment.
|
|
* Services are run by dedicated low-privileged users to achieve privileges separation.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
To be secure, remove the unnecessary permissions. If required, use `--chown` to
|
|
set the target user and group.
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,docker]
|
|
----
|
|
# Sensitive
|
|
ADD --chmod=777 src dst
|
|
# Sensitive
|
|
COPY --chmod=777 src dst
|
|
# Sensitive
|
|
RUN chmod +x resource
|
|
# Sensitive
|
|
RUN chmod u+s resource
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,docker]
|
|
----
|
|
ADD --chmod=754 src dst
|
|
COPY --chown=user:user --chmod=744 src dst
|
|
RUN chmod u+x resource
|
|
RUN chmod +t resource
|
|
----
|
|
|
|
== See
|
|
|
|
* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
|
|
* https://docs.docker.com/engine/reference/builder/#add[ADD] - Docker ADD command
|
|
* https://docs.docker.com/engine/reference/builder/#copy[COPY] - Docker COPY command
|
|
* https://man.archlinux.org/man/core/man-pages/chmod.1p.en[chmod reference] - `chmod` command
|
|
* https://man.archlinux.org/man/chown.1.en[chown reference] - `chown` command
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure granting write access to others is safe here.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|