ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6504/docker/rule.adoc
daniel-teuchert-sonarsource b7c4d7a88c
Modify rule S6504: Clarify intention of rule (APPSEC-1350) (#3528) 
* Adjust rule S6504

* Update rules/S6504/docker/rule.adoc

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Update rules/S6504/docker/rule.adoc

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Adjustments after review

* Added information to recommended secure coding practices

* Update rule.adoc

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-31 10:37:36 +01:00

76 lines
2.4 KiB
Plaintext
Raw Blame History

Ownership or write permissions for a file or directory copied to the Docker image have been assigned to a user other than root.
Write permissions enable malicious actors, who have a foothold on the container,
to tamper with the resource and thus potentially manipulate the container's expected behavior. +
Manipulating files could disrupt services or aid in escalating privileges inside the container. +
This also breaches the container immutability principle as it facilitates container
changes during its life. Immutability, a container best practice, allows for a
more reliable and reproducible behavior of Docker containers.
If a user is given ownership on a file but no write permissions, the user can still modify it by using his ownership to change the file permissions first. This is why both ownership and write permissions should be avoided.
== Ask Yourself Whether
* A non-root user owns the resource.
* A non-root user has been granted write permissions for the resource.
There is a risk if you answered yes to any of these questions.
== Recommended Secure Coding Practices
* Use `--chmod` to change the permissions so that only root users can write to files.
* Use `--chown` to change the file/directory owner to a root user.
* Be mindful of the container immutability principle.
== Sensitive Code Example
[source,docker,diff-id=1,diff-type=noncompliant]
----
FROM example
RUN useradd exampleuser
# Sensitive
COPY --chown=exampleuser:exampleuser src.py dst.py
----
== Compliant Solution
[source,docker,diff-id=1,diff-type=compliant]
----
FROM example
COPY --chown=root:root --chmod=755 src.py dst.py
----
== See
* https://docs.docker.com/engine/reference/builder/#add[Dockerfile reference] - ADD instruction
* https://docs.docker.com/engine/reference/builder/#copy[Dockerfile reference] - COPY instruction
* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource]
* https://cloud.google.com/architecture/best-practices-for-operating-containers#immutability[Google Cloud, Immutability] - Best practices for operating containers
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure no write permissions are assigned to the copied resource.
=== Highlighting
Highlight the name of the copied resource as primary location and the chown flag/command as secondary location.
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink