Run using sudo

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Run using sudo

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 8ada6e80-0ade-439e-b176-0b28f6bce35a

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

Including the sudo command in Dockerfile RUN instructions is a misconfiguration because Docker build steps typically run as root and sudo is unnecessary. Using sudo can mask incorrect privilege assumptions and lead to fragile builds, unexpected file ownership, or build-time failures when sudo is not available.

This rule flags Dockerfile RUN instructions that contain the literal sudo, either as the first token or anywhere in the command value. RUN instructions must omit sudo. Fix by invoking commands directly during build or by switching to a non-root user with the USER directive and correcting permissions with chown where appropriate.

FROM ubuntu:22.04
RUN apt-get update && apt-get install -y curl

# If commands must run as a non-root user:
USER appuser
RUN mkdir -p /app && chown appuser:appuser /app

Compliant Code Examples

FROM alpine:3.5
RUN apk add --update py2-pip
RUN pip install --upgrade pip
RUN apt-get install sudo
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

Non-Compliant Code Examples

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]