For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile-avoid-chmod-777.md. A documentation index is available at /llms.txt.

Avoid chmod 777

This product is not supported for your selected Datadog site. ().

Metadata

Id: dockerfile-avoid-chmod-777

Platform: Dockerfile

Severity: High

Category: Access Control

Learn More

Description

Using ADD or COPY with the flag --chmod=777 makes files world-writable inside the image. This allows any user or process in the container to modify those files, increasing the risk of tampering, privilege escalation, and data exposure.

Check Dockerfile ADD and COPY instructions for flags that include --chmod=777. This rule inspects instruction flags (resource type dockerfile_container) and flags ADD or COPY commands that specify --chmod=777.

Avoid granting global write permissions. Instead, use more restrictive modes (for example, 0755 for executables or 0644 for regular files), set appropriate ownership with --chown, or apply targeted chown/chmod in a subsequent RUN step rather than using --chmod=777.

Secure examples:

# Use restrictive permissions during copy
COPY --chown=app:app --chmod=0755 bin/ /app/bin/
COPY --chown=app:app --chmod=0644 conf.yaml /app/conf.yaml

# Or set ownership/permissions in a separate step
COPY src/ /app/src/
RUN chown -R app:app /app && chmod -R 0755 /app/bin && chmod 0644 /app/conf.yaml

Compliant Code Examples

FROM golang:1.21-alpine AS builder

LABEL maintainer="security-team@example.com"
LABEL description="Secure build stage for Go application"

# Install build dependencies
RUN apk add --no-cache \
    git \
    gcc \
    musl-dev

WORKDIR /build

# Copy go module files
COPY go.mod go.sum ./
RUN go mod download

# Negative case 1: ADD with safe permissions (755) for executable scripts
ADD --chmod=755 src dst

# Copy source code
COPY . .

# Build the application
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

# Final stage
FROM alpine:3.14

LABEL maintainer="security-team@example.com"
LABEL description="Secure production image for Go application"
LABEL version="1.0.0"

# Install CA certificates and other runtime dependencies
RUN apk add --no-cache \
    ca-certificates \
    tzdata \
    curl

WORKDIR /app

# Create non-root user with specific UID/GID
RUN addgroup -g 1001 appgroup && \
    adduser -D -u 1001 -G appgroup -h /app appuser

# Negative case 2: COPY with safe permissions (755) for application binary
COPY --chmod=755 src dst

# Negative case 3: ADD with restrictive permissions (644) for config files
ADD --chmod=644 src dst

# Negative case 4: COPY with restrictive permissions (600) for secrets
COPY --chmod=600 src dst

# Negative case 5: ADD without chmod flag - uses default secure permissions
ADD src dst

# Negative case 6: COPY without chmod flag - uses default secure permissions
COPY src dst

# Negative case 7: ADD with chown but no chmod - secure ownership
ADD --chown=user:group src dst

# Negative case 8: COPY with chown but no chmod - secure ownership
COPY --chown=user:group src dst

# Copy application binary from builder with proper ownership
COPY --from=builder --chown=appuser:appgroup /build/app /app/

# Set secure environment variables
ENV APP_PORT=8080 \
    APP_ENV=production \
    APP_LOG_LEVEL=info

# Create necessary directories with proper permissions
RUN mkdir -p /app/data /app/logs && \
    chown -R appuser:appgroup /app

# Expose application port
EXPOSE 8080

# Add health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
    CMD curl -f http://localhost:8080/health || exit 1

# Switch to non-root user
USER appuser

# Use exec form for proper signal handling
CMD ["/app/app"]

Non-Compliant Code Examples

FROM alpine:3.14 AS builder

LABEL maintainer="security-team@example.com"
LABEL description="Build stage for application compilation"

# Install build dependencies
RUN apk add --no-cache \
    gcc \
    musl-dev \
    make

WORKDIR /build

# Positive case 1: ADD with chmod 777 - insecure permissions on source code
ADD --chmod=777 src dst

# Copy build scripts
COPY build.sh /build/

# Compile application
RUN make build

# Final stage
FROM alpine:3.14

LABEL maintainer="security-team@example.com"
LABEL description="Production image for web application"

# Install runtime dependencies
RUN apk add --no-cache \
    ca-certificates \
    curl

WORKDIR /app

# Create application user
RUN addgroup -g 1000 appgroup && \
    adduser -D -u 1000 -G appgroup appuser

# Positive case 2: COPY with chmod 777 - world-writable configuration files
COPY --chmod=777 src dst

# Positive case 3: ADD with chmod 777 and other flags - insecure data directory
ADD --chown=user:group --chmod=777 src dst

# Positive case 4: COPY with chmod 777 and other flags - insecure application binary
COPY --chown=user:group --chmod=777 src dst

# Copy application files from builder
COPY --from=builder /build/app /app/

# Set environment variables
ENV APP_PORT=8080 \
    APP_ENV=production

# Expose application port
EXPOSE 8080

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:8080/health || exit 1

USER appuser

CMD ["/app/app"]