ベータ Shoulder はベータ版です — 結果が誤っている場合があります。皆さまのフィードバックが次に修正する内容を決定します。 フィードバックを送る
Shoulder.dev

開発者向け脅威インテリジェンス
🔒

Execution with Unnecessary Privileges

🛡️ 10 件のルールが検出します

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.

普及度
頻繁に悪用される
影響度
クリティカル
3 件の重大度クリティカルなルール
予防
文書化済み
10 件の修正例
2 予防
2 予防

この脆弱性の修正方法

🐳 Docker すべて表示 Docker 詳細 →
Container runs as root HIGH

Add a USER instruction before CMD/ENTRYPOINT to run as non-root

+2 -0 dockerfile 
  FROM node:24-alpine
  WORKDIR /app
  COPY . .
  RUN npm ci
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ USER appuser
  CMD ["node", "server.js"]
Docker User and File Permissions HIGH

Use a non-root user and restrictive file permissions instead of USER root or chmod 777

+5 -3 dockerfile 
  FROM node:24-alpine
- USER root
- RUN chmod 777 /app
- COPY . /app
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ WORKDIR /app
+ COPY --chown=appuser:appuser . .
+ RUN chmod 755 /app
+ USER appuser
  CMD ["node", "server.js"]
☸️ Kubernetes すべて表示 Kubernetes 詳細 →
Privilege Escalation Allowed HIGH

Set allowPrivilegeEscalation: false to prevent containers from gaining additional privileges

+1 -1 yaml 
  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
-       allowPrivilegeEscalation: true
+       allowPrivilegeEscalation: false
Dangerous Linux Capabilities Added CRITICAL

Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE and drop ALL instead

+4 -3 yaml 
  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
        capabilities:
-         add:
-           - SYS_ADMIN
-           - NET_ADMIN
+         drop:
+           - ALL
+         add:
+           - NET_BIND_SERVICE
Host Namespace Access Enabled CRITICAL

Disable host namespace access (hostNetwork, hostPID, hostIPC) to isolate pods from the host

+3 -2 yaml 
  apiVersion: v1
  kind: Pod
  spec:
-   hostNetwork: true
-   hostPID: true
+   hostNetwork: false
+   hostPID: false
+   hostIPC: false
    containers:
    - name: app
      image: nginx:1.25
3 検出
3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのExecution with Unnecessary Privilegesパターンをスキャンしましょう。 10 ルール.

ターミナル
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=250

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (10)

4 警告サイン
4 警告サイン

コードレビューで注目すべき点

これらのパターンはExecution with Unnecessary Privilegesの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠
No USER instruction before CMD/ENTRYPOINT - container runs as root docker-missing-user
🟠
CMD or ENTRYPOINT without a preceding USER instruction docker-missing-user
🟠
Dockerfile contains ...: ... docker-user-permissions
🟠
explicit root user and overly permissive chmod 777 permissions docker-user-permissions
🟠
Container allows privilege escalation, which can enable attackers to gain additional privileges through exploits. kubernetes-allow-privilege-escalation
🟠
containers with privilege escalation explicitly enabled kubernetes-allow-privilege-escalation
🟠
Containers should run with security constraints defined in securityContext. kubernetes-missing-security-context
🟠
containers without securityContext configuration kubernetes-missing-security-context
🔍

コードベースをスキャン: Execution with Unnecessary Privileges

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示