“You look like my next mistake“ – Taylor Swift
At CoGuard, we have the strict rule of dockerfile_last_user_should_be_non_root. This is a very common vulnerability identified by CoGuard. It is so common because most Docker containers run as root by default you might think that we're being a little over zealous in our identification of this risk. Below is aa simple code example where we demonstrate the exploit-ability of last user of a container as root:
➜ mkdir foo # Create a temporary directory
➜ echo "bar" > foo/tst.txt #create a file which we want to protect later
➜ cd foo
➜ ls
tst.txt
➜ sudo chown root:root tst.txt # Set the owner as root
➜ ls -lah # verify change
total 4.0K
drwxr-xr-x 2 aheinle aheinle 60 Nov 20 12:37 .
drwxrwxrwt 24 root root 700 Nov 20 12:37 ..
-rw-r--r-- 1 root root 4 Nov 20 12:37 tst.txt
➜ cat tst.txt # We can still read it
bar
➜ sudo chmod 0400 tst.txt # Set it that only owner (i.e. root) can read
➜ ls -lah tst.txt # verify
-r-------- 1 root root 4 Nov 20 12:37 tst.txt
➜ cat tst.txt # verify that we have a permission denied now
cat: tst.txt: Permission denied
➜ cd ..
➜ docker run -v /tmp/foo/:/tmp/foo -it ubuntu bash # run plain ubuntu, mounted the foo folder
root@964d8945a786:/# cd /tmp/
root@964d8945a786:/tmp# ls #verifying that foo was mounted properly
foo
root@964d8945a786:/tmp# cd foo/
root@964d8945a786:/tmp/foo# ls #listing and seeing that the file is there
tst.txt
root@964d8945a786:/tmp/foo# cat tst.txt # Reading the file
bar
If you have a file system mounted into the Docker container, the container’s root allows you to read host’s protected files as root. And you really don’t want that.
At CoGuard, we know that if you use containers you need to pay attention to version, correct use and configuration of the container and software running inside. We are focused on identifying risks associated with the configuration of modern software stacks including containers, cloud-native, and the applications running inside the containers. Developers are used to using code scanners and including libraries. IT/DevOps/Platform Engineering/Infrastructure typically handles the configuration. CoGuard provides automated tools that help identify the risk when new containers and applications are defined in IaC and deployed to the cloud. Get started today by understanding how your current cloud environments are configured.
