Skip to main content

Impact & Risk Analysis

  • Severity: High
  • CIS Benchmark: CIS 4.1
  • Impact: Privilege Escalation & Bind Mount Issues. By default, containers run with root privileges. This increases the risk of privilege escalation if the container is compromised. Additionally, running as root can create permission challenges when bind-mounting volumes from the underlying host.

Common Misconfiguration

Failing to create a specific user in the Dockerfile or failing to switch to that user using the USER directive. By default, Docker containers run as the root user inside the container.

Vulnerable Example

# Vulnerable Dockerfile
# No USER directive is specified, so this runs as Root (UID 0)
FROM ubuntu:22.04

WORKDIR /app
COPY . .

# Default behavior:
# The process started by CMD will have full root privileges
CMD ["./start-app.sh"]

Secure Example

# Secure Dockerfile
FROM ubuntu:22.04

# Create a specific user before the USER instruction
RUN useradd -d /home/appuser -m -s /bin/bash appuser

WORKDIR /app

# Ensure the new user owns the application files
COPY --chown=appuser:appuser . .

# Switch to the non-root user
USER appuser

CMD ["./start-app.sh"]

Alternative Remediation (Entrypoint Script)

If it is not possible to set the USER directive in the Dockerfile (e.g., you need root to install dependencies at runtime), use a script to drop privileges: 
#!/bin/bash
# entrypoint.sh
# Do root work here (if absolutely necessary)
chown -R appuser:appuser /app/data

# Switch to non-root user to run the main process
exec gosu appuser "$@"

Audit Procedure

To verify if a container is running as root, run the following command on the host: 
# Verify UID
docker ps --quiet | xargs --max-args=1 -I{} docker exec {} cat /proc/1/status | grep '^Uid:' | awk '{print $3}'
  • Result: This returns the effective UID.
  • Fail: If it returns 0, the container process is running as root.
  • Pass: If it returns a non-zero ID (e.g., 1000), it is compliant.