chown flag exists

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > chown flag exists

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: aa93e17f-b6db-4162-9334-c70334e7ac28

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Best Practices

Learn More

Provider Reference

Description

Setting file ownership to a non-root user in a Dockerfile using the --chown flag can leave executables or sensitive files writable by the runtime user. This can enable tampering, persistence of malicious artifacts, or privilege escalation.

This rule flags Dockerfile instructions (for example, COPY or ADD) that include the --chown flag; Dockerfile commands must not use --chown. To remediate, remove --chown from COPY/ADD and ensure files remain root-owned with restrictive permissions (for example, use RUN chmod), or perform any necessary, controlled ownership changes at container startup rather than using --chown in image build.

Secure example:

# Copy files without --chown so they remain owned by root in the image
COPY app/mybinary /usr/local/bin/mybinary
RUN chmod 0555 /usr/local/bin/mybinary

Compliant Code Examples

FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]

Non-Compliant Code Examples

FROM python:3.7
RUN pip install Flask==0.11.1
RUN useradd -ms /bin/bash patrick
COPY --chown=patrick:patrick app /app
WORKDIR /app
USER patrick
CMD ["python", "app.py"]