Dangerous Defaults

Rooting for Trouble: Unmasking the Perils of Root Access in Containers!

"Unmasking Risks: Running containers as root exposes host files! 🛑 Learn why it's a bad idea with a simple example. #ContainerSecurity #DevOps"

Albert Heinle
Written by
Albert Heinle
“You look like my next mistake“ – Taylor Swift

At CoGuard, we have the strict rule of dockerfile_last_user_should_be_non_root. This is a very common vulnerability identified by CoGuard. It is so common because most Docker containers run as root by default you might think that we're being a little over zealous in our identification of this risk. Below is aa simple code example where we demonstrate the exploit-ability of last user of a container as root:

➜  mkdir foo # Create a temporary directory
➜  echo "bar" > foo/tst.txt #create a file which we want to protect later
➜  cd foo 
➜  ls
➜ sudo chown root:root tst.txt # Set the owner as root
➜  ls -lah # verify change
total 4.0K
drwxr-xr-x  2 aheinle aheinle  60 Nov 20 12:37 .
drwxrwxrwt 24 root    root    700 Nov 20 12:37 ..
-rw-r--r--  1 root    root      4 Nov 20 12:37 tst.txt
➜  cat tst.txt # We can still read it
➜  sudo chmod 0400 tst.txt # Set it that only owner (i.e. root) can read
➜  ls -lah tst.txt # verify
-r-------- 1 root root 4 Nov 20 12:37 tst.txt
➜  cat tst.txt # verify that we have a permission denied now
cat: tst.txt: Permission denied
➜  cd ..          
➜  docker run -v /tmp/foo/:/tmp/foo -it ubuntu bash # run plain ubuntu, mounted the foo folder
root@964d8945a786:/# cd /tmp/
root@964d8945a786:/tmp# ls #verifying that foo was mounted properly
root@964d8945a786:/tmp# cd foo/ 
root@964d8945a786:/tmp/foo# ls #listing and seeing that the file is there
root@964d8945a786:/tmp/foo# cat tst.txt # Reading the file

If you have a file system mounted into the Docker container, the container’s root allows you to read host’s protected files as root. And you really don’t want that.

At CoGuard, we know that if you use containers you need to pay attention to version, correct use and configuration of the container and software running inside. We are focused on identifying risks associated with the configuration of modern software stacks including containers, cloud-native, and the applications running inside the containers. Developers are used to using code scanners and including libraries. IT/DevOps/Platform Engineering/Infrastructure typically handles the configuration. CoGuard provides automated tools that help identify the risk when new containers and applications are defined in IaC and deployed to the cloud. Get started today by understanding how your current cloud environments are configured.

pip install coguard-cli
coguard cloud {aws,azure,gcp}

Photo credit Katelyn Greer on Unsplash

Explore a test environment

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out and explore a test environment to run infra audits on sample repositories of web applications and view select reports on CoGuard's interative dashboard today.