# Execution with Unnecessary Privileges (CWE-250)

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

**Stack:** Docker

- Prevalence: Alta Frecuentemente explotada
- Impact: Crítico 3 reglas de severidad crítica
- Prevention: Documentada 10 ejemplos de corrección

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.

## Prevention

### Docker

Add a USER instruction before CMD/ENTRYPOINT to run as non-root

Use a non-root user and restrictive file permissions instead of USER root or chmod 777

## Warning Signs

- [HIGH] No USER instruction before CMD/ENTRYPOINT - container runs as root
- [HIGH] CMD or ENTRYPOINT without a preceding USER instruction
- [HIGH] Dockerfile contains ...: ...
- [HIGH] explicit root user and overly permissive chmod 777 permissions

## Consequences

- Obtener privilegios
- Ejecutar código no autorizado
- Leer datos de la aplicación
- Modificar datos de la aplicación

## Mitigations

- Ejecuta tu código con los menores privilegios necesarios para realizar las tareas requeridas
- Identifica los derechos de acceso mínimos que requiere tu componente y otorga solo esos derechos
- Considera usar un modelo de privilegios Just-In-Time (JIT)

## Detection

- Total rules: 10
- Critical: 3
- Languages: dockerfile, yaml

## Rules by Language

### Dockerfile (2 rules)

- **Container runs as root** [HIGH]: Detects CMD or ENTRYPOINT without a preceding USER instruction.
The container will run as root, which is a security risk.
  - Remediation: Add a USER instruction before CMD/ENTRYPOINT to run as a non-root user.

```dockerfile
USER appuser
CMD ["node", "server.js"]
```

Learn more: https://shoulder.dev/learn/docker/cwe-250/missing-user
- **Docker User and File Permissions** [HIGH]: Detects explicit root user and overly permissive chmod 777 permissions.
  - Remediation: Use a non-root user and restrictive file permissions.

```dockerfile
RUN adduser -D appuser
USER appuser
```

Learn more: https://shoulder.dev/learn/docker/cwe-250/user-permissions