Avoid privilege escalation via setuid or setgid

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: docker-best-practices/no-new-privileges

Language: YAML

Severity: Warning

Category: Security

CWE: 732

Description

This rule aims to prevent privilege escalation vulnerabilities in Docker Compose configurations by ensuring that the no-new-privileges security option is enabled. Privilege escalation occurs when a container can gain additional rights beyond its intended permissions, potentially compromising the host system or other containers.

Enabling no-new-privileges: true in the security_opt section of a service ensures that processes inside the container cannot gain new privileges via setuid or setgid binaries. This restriction helps maintain a secure environment by limiting the container’s ability to perform unauthorized actions, reducing the attack surface.

To comply with this rule, ensure that your Docker images use the no-new-privileges directive like below.

security_opt:
  - no-new-privileges:true

Non-Compliant Code Examples

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine
    read_only: true
    security_opt:
      - no-new-privileges: false
  
  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |
      wait-for postgres:5432 -- python run.py      

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine
    read_only: true

  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |
      wait-for postgres:5432 -- python run.py

Compliant Code Examples

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine
    security_opt:
      - no-new-privileges: true

  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |
      wait-for postgres:5432 -- python run.py
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains