For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/docker-best-practices/no-new-privileges.md. A documentation index is available at /llms.txt.

Avoid privilege escalation via setuid or setgid

This product is not supported for your selected Datadog site. ().

Metadata

ID: docker-best-practices/no-new-privileges

Language: YAML

Severity: Warning

Category: Security

CWE: 732

Related CWEs:

Description

This rule aims to prevent privilege escalation vulnerabilities in Docker Compose configurations by ensuring that the no-new-privileges security option is enabled. Privilege escalation occurs when a container can gain additional rights beyond its intended permissions, potentially compromising the host system or other containers.

Enabling no-new-privileges:true in the security_opt section of a service ensures that processes inside the container cannot gain new privileges via setuid or setgid binaries. This restriction helps maintain a secure environment by limiting the container’s ability to perform unauthorized actions, reducing the attack surface.

To comply with this rule, ensure that your Docker images use the no-new-privileges directive like below.

security_opt:
  - no-new-privileges:true

Non-Compliant Code Examples

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine
    read_only: true
    security_opt:
      - no-new-privileges:false
  
  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |-
      wait-for postgres:5432 -- python run.py

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine
    read_only: true

  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |
      wait-for postgres:5432 -- python run.py

Compliant Code Examples

version: '3.3'

services:
  postgres:
    build:
      context: .
      dockerfile: Dockerfile.db
    ports:
      - 5432:5432

  redis:
    image: redis:alpine
    security_opt:
      - no-new-privileges:true

  web:
    image: nginx:latest
    security_opt:
      - no-new-privileges

  proxy:
    image: nginx:latest
    security_opt:
      - no-new-privileges=true

  sqli:
    build:
      context: .
      dockerfile: Dockerfile.app
    depends_on:
      - postgres
      - redis
    ports:
      - 8080:8080
    command: |
      wait-for postgres:5432 -- python run.py
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security