# Execution with Unnecessary Privileges (CWE-250) The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. **Stack:** Docker - Prevalence: 高 頻繁に悪用される - Impact: クリティカル 3 件の重大度クリティカルなルール - Prevention: 文書化済み 10 件の修正例 **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges. ## Prevention ### Docker Add a USER instruction before CMD/ENTRYPOINT to run as non-root Use a non-root user and restrictive file permissions instead of USER root or chmod 777 ## Warning Signs - [HIGH] No USER instruction before CMD/ENTRYPOINT - container runs as root - [HIGH] CMD or ENTRYPOINT without a preceding USER instruction - [HIGH] Dockerfile contains ...: ... - [HIGH] explicit root user and overly permissive chmod 777 permissions ## Consequences - 権限の取得 - 未承認コードの実行 - アプリケーションデータの読み取り - アプリケーションデータの変更 ## Mitigations - 必要なタスクを遂行できる最小限の権限でコードを実行する - コンポーネントに必要な最小限のアクセス権を特定し、その権限のみを付与する - Just-In-Time (JIT) 権限モデルの採用を検討する ## Detection - Total rules: 10 - Critical: 3 - Languages: dockerfile, yaml ## Rules by Language ### Dockerfile (2 rules) - **Container runs as root** [HIGH]: Detects CMD or ENTRYPOINT without a preceding USER instruction. The container will run as root, which is a security risk. - Remediation: Add a USER instruction before CMD/ENTRYPOINT to run as a non-root user. ```dockerfile USER appuser CMD ["node", "server.js"] ``` Learn more: https://shoulder.dev/learn/docker/cwe-250/missing-user - **Docker User and File Permissions** [HIGH]: Detects explicit root user and overly permissive chmod 777 permissions. - Remediation: Use a non-root user and restrictive file permissions. ```dockerfile RUN adduser -D appuser USER appuser ``` Learn more: https://shoulder.dev/learn/docker/cwe-250/user-permissions