Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.
이 취약점을 수정하는 방법
Add a USER instruction before CMD/ENTRYPOINT to run as non-root
FROM node:24-alpine WORKDIR /app COPY . . RUN npm ci + RUN addgroup -S appuser && adduser -S appuser -G appuser + USER appuser CMD ["node", "server.js"]
Use a non-root user and restrictive file permissions instead of USER root or chmod 777
FROM node:24-alpine - USER root - RUN chmod 777 /app - COPY . /app + RUN addgroup -S appuser && adduser -S appuser -G appuser + WORKDIR /app + COPY --chown=appuser:appuser . . + RUN chmod 755 /app + USER appuser CMD ["node", "server.js"]
Set allowPrivilegeEscalation: false to prevent containers from gaining additional privileges
apiVersion: v1 kind: Pod spec: containers: - name: app image: nginx:1.25 securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false
Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE and drop ALL instead
apiVersion: v1 kind: Pod spec: containers: - name: app image: nginx:1.25 securityContext: capabilities: - add: - - SYS_ADMIN - - NET_ADMIN + drop: + - ALL + add: + - NET_BIND_SERVICE
Disable host namespace access (hostNetwork, hostPID, hostIPC) to isolate pods from the host
apiVersion: v1 kind: Pod spec: - hostNetwork: true - hostPID: true + hostNetwork: false + hostPID: false + hostIPC: false containers: - name: app image: nginx:1.25
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Execution with Unnecessary Privileges 패턴을 스캔하세요. 10 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=250 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (10)
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Execution with Unnecessary Privileges 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
코드베이스를 스캔하세요: Execution with Unnecessary Privileges
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.