Execution with Unnecessary Privileges (CWE-250)

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.

보급률

높음

자주 악용됨

영향

치명적

3개의 치명적 심각도 규칙

예방

문서화됨

10개의 수정 예시

2 예방

이 취약점을 수정하는 방법

🐳 Docker 모두 보기 Docker 자세히 →

Container runs as root HIGH

Add a USER instruction before CMD/ENTRYPOINT to run as non-root

+2 -0 dockerfile

  FROM node:24-alpine
  WORKDIR /app
  COPY . .
  RUN npm ci
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ USER appuser
  CMD ["node", "server.js"]

Docker User and File Permissions HIGH

Use a non-root user and restrictive file permissions instead of USER root or chmod 777

+5 -3 dockerfile

  FROM node:24-alpine
- USER root
- RUN chmod 777 /app
- COPY . /app
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ WORKDIR /app
+ COPY --chown=appuser:appuser . .
+ RUN chmod 755 /app
+ USER appuser
  CMD ["node", "server.js"]

☸️ Kubernetes 모두 보기 Kubernetes 자세히 →

Privilege Escalation Allowed HIGH

Set allowPrivilegeEscalation: false to prevent containers from gaining additional privileges

+1 -1 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
-       allowPrivilegeEscalation: true
+       allowPrivilegeEscalation: false

Dangerous Linux Capabilities Added CRITICAL

Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE and drop ALL instead

+4 -3 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
        capabilities:
-         add:
-           - SYS_ADMIN
-           - NET_ADMIN
+         drop:
+           - ALL
+         add:
+           - NET_BIND_SERVICE

Host Namespace Access Enabled CRITICAL

Disable host namespace access (hostNetwork, hostPID, hostIPC) to isolate pods from the host

+3 -2 yaml

  apiVersion: v1
  kind: Pod
  spec:
-   hostNetwork: true
-   hostPID: true
+   hostNetwork: false
+   hostPID: false
+   hostIPC: false
    containers:
    - name: app
      image: nginx:1.25

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Execution with Unnecessary Privileges 패턴을 스캔하세요. 10 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=250

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (10)

📄 Yaml 8 rules

Privilege Escalation Allowed HIGH

Detects containers with privilege escalation explicitly enabled.

Dangerous Linux Capabilities Added CRITICAL

Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.

Host Namespace Access Enabled CRITICAL

Detects pods configured to access host namespaces (network, PID, or IPC).

Missing Capability Restrictions MEDIUM

Detects containers that do not drop unnecessary Linux capabilities.

Missing allowPrivilegeEscalation Setting MEDIUM

Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation.

Missing Container Security Context HIGH

Detects containers without securityContext configuration.

Privileged Container Detected CRITICAL

Detects containers running with privileged security context.

Container Running as Root User HIGH

Detects containers configured to run as root user (UID 0).

🐳 Dockerfile 2 rules

Container runs as root HIGH

Detects CMD or ENTRYPOINT without a preceding USER instruction. The container will run as root, which is a security risk.

Docker User and File Permissions HIGH

Detects explicit root user and overly permissive chmod 777 permissions.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Execution with Unnecessary Privileges 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

No USER instruction before CMD/ENTRYPOINT - container runs as root docker-missing-user

🟠

CMD or ENTRYPOINT without a preceding USER instruction docker-missing-user

🟠

Dockerfile contains ...: ... docker-user-permissions

🟠

explicit root user and overly permissive chmod 777 permissions docker-user-permissions

🟠

Container allows privilege escalation, which can enable attackers to gain additional privileges through exploits. kubernetes-allow-privilege-escalation

🟠

containers with privilege escalation explicitly enabled kubernetes-allow-privilege-escalation

🟠

Containers should run with security constraints defined in securityContext. kubernetes-missing-security-context

🟠

containers without securityContext configuration kubernetes-missing-security-context

🔍

코드베이스를 스캔하세요: Execution with Unnecessary Privileges

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기