--- title: Avoid chmod 777 description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Avoid chmod 777 --- # Avoid chmod 777 {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `3be406ec-eb81-f09e-05d4-dc6a41683b4c` **Cloud Provider:** Dockerfile **Platform:** Dockerfile **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://docs.docker.com/engine/reference/builder/#add) ### Description{% #description %} Using `ADD` or `COPY` with the flag `--chmod=777` makes files world-writable inside the image. This allows any user or process in the container to modify those files, increasing the risk of tampering, privilege escalation, and data exposure. Check Dockerfile `ADD` and `COPY` instructions for flags that include `--chmod=777`. This rule inspects instruction flags (resource type `dockerfile_container`) and flags `ADD` or `COPY` commands that specify `--chmod=777`. Avoid granting global write permissions. Instead, use more restrictive modes (for example, `0755` for executables or `0644` for regular files), set appropriate ownership with `--chown`, or apply targeted `chown`/`chmod` in a subsequent `RUN` step rather than using `--chmod=777`. Secure examples: ```dockerfile # Use restrictive permissions during copy COPY --chown=app:app --chmod=0755 bin/ /app/bin/ COPY --chown=app:app --chmod=0644 conf.yaml /app/conf.yaml ``` ```dockerfile # Or set ownership/permissions in a separate step COPY src/ /app/src/ RUN chown -R app:app /app && chmod -R 0755 /app/bin && chmod 0644 /app/conf.yaml ``` ## Compliant Code Examples{% #compliant-code-examples %} ```dockerfile FROM golang:1.21-alpine AS builder LABEL maintainer="security-team@example.com" LABEL description="Secure build stage for Go application" # Install build dependencies RUN apk add --no-cache \ git \ gcc \ musl-dev WORKDIR /build # Copy go module files COPY go.mod go.sum ./ RUN go mod download # Negative case 1: ADD with safe permissions (755) for executable scripts ADD --chmod=755 src dst # Copy source code COPY . . # Build the application RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . # Final stage FROM alpine:3.14 LABEL maintainer="security-team@example.com" LABEL description="Secure production image for Go application" LABEL version="1.0.0" # Install CA certificates and other runtime dependencies RUN apk add --no-cache \ ca-certificates \ tzdata \ curl WORKDIR /app # Create non-root user with specific UID/GID RUN addgroup -g 1001 appgroup && \ adduser -D -u 1001 -G appgroup -h /app appuser # Negative case 2: COPY with safe permissions (755) for application binary COPY --chmod=755 src dst # Negative case 3: ADD with restrictive permissions (644) for config files ADD --chmod=644 src dst # Negative case 4: COPY with restrictive permissions (600) for secrets COPY --chmod=600 src dst # Negative case 5: ADD without chmod flag - uses default secure permissions ADD src dst # Negative case 6: COPY without chmod flag - uses default secure permissions COPY src dst # Negative case 7: ADD with chown but no chmod - secure ownership ADD --chown=user:group src dst # Negative case 8: COPY with chown but no chmod - secure ownership COPY --chown=user:group src dst # Copy application binary from builder with proper ownership COPY --from=builder --chown=appuser:appgroup /build/app /app/ # Set secure environment variables ENV APP_PORT=8080 \ APP_ENV=production \ APP_LOG_LEVEL=info # Create necessary directories with proper permissions RUN mkdir -p /app/data /app/logs && \ chown -R appuser:appgroup /app # Expose application port EXPOSE 8080 # Add health check HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \ CMD curl -f http://localhost:8080/health || exit 1 # Switch to non-root user USER appuser # Use exec form for proper signal handling CMD ["/app/app"] ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```dockerfile FROM alpine:3.14 AS builder LABEL maintainer="security-team@example.com" LABEL description="Build stage for application compilation" # Install build dependencies RUN apk add --no-cache \ gcc \ musl-dev \ make WORKDIR /build # Positive case 1: ADD with chmod 777 - insecure permissions on source code ADD --chmod=777 src dst # Copy build scripts COPY build.sh /build/ # Compile application RUN make build # Final stage FROM alpine:3.14 LABEL maintainer="security-team@example.com" LABEL description="Production image for web application" # Install runtime dependencies RUN apk add --no-cache \ ca-certificates \ curl WORKDIR /app # Create application user RUN addgroup -g 1000 appgroup && \ adduser -D -u 1000 -G appgroup appuser # Positive case 2: COPY with chmod 777 - world-writable configuration files COPY --chmod=777 src dst # Positive case 3: ADD with chmod 777 and other flags - insecure data directory ADD --chown=user:group --chmod=777 src dst # Positive case 4: COPY with chmod 777 and other flags - insecure application binary COPY --chown=user:group --chmod=777 src dst # Copy application files from builder COPY --from=builder /build/app /app/ # Set environment variables ENV APP_PORT=8080 \ APP_ENV=production # Expose application port EXPOSE 8080 # Health check HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD curl -f http://localhost:8080/health || exit 1 USER appuser CMD ["/app/app"] ```