This product is not supported for your selected
Datadog site. (
).
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Id: aa93e17f-b6db-4162-9334-c70334e7ac28
Cloud Provider: Dockerfile
Platform: Dockerfile
Severity: Low
Category: Best Practices
Learn More
Description
Setting file ownership to a non-root user in a Dockerfile using the --chown flag can leave executables or sensitive files writable by the runtime user. This can enable tampering, persistence of malicious artifacts, or privilege escalation.
This rule flags Dockerfile instructions (for example, COPY or ADD) that include the --chown flag; Dockerfile commands must not use --chown. To remediate, remove --chown from COPY/ADD and ensure files remain root-owned with restrictive permissions (for example, use RUN chmod), or perform any necessary, controlled ownership changes at container startup rather than using --chown in image build.
Secure example:
# Copy files without --chown so they remain owned by root in the image
COPY app/mybinary /usr/local/bin/mybinary
RUN chmod 0555 /usr/local/bin/mybinary
Compliant Code Examples
FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]
Non-Compliant Code Examples
FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY --chown=patrick:patrick app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]
