Execution with Unnecessary Privileges (CWE-250)

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.

Rozpowszechnienie

Wysoka

Często wykorzystywana

Wplyw

Krytyczny

3 reguł o krytycznym poziomie

Zapobieganie

Udokumentowane

10 przykładów poprawek

2 Zapobieganie

Jak naprawić tę podatność

🐳 Docker Zobacz wszystko Docker szczegóły →

Container runs as root HIGH

Add a USER instruction before CMD/ENTRYPOINT to run as non-root

+2 -0 dockerfile

  FROM node:24-alpine
  WORKDIR /app
  COPY . .
  RUN npm ci
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ USER appuser
  CMD ["node", "server.js"]

Docker User and File Permissions HIGH

Use a non-root user and restrictive file permissions instead of USER root or chmod 777

+5 -3 dockerfile

  FROM node:24-alpine
- USER root
- RUN chmod 777 /app
- COPY . /app
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ WORKDIR /app
+ COPY --chown=appuser:appuser . .
+ RUN chmod 755 /app
+ USER appuser
  CMD ["node", "server.js"]

☸️ Kubernetes Zobacz wszystko Kubernetes szczegóły →

Privilege Escalation Allowed HIGH

Set allowPrivilegeEscalation: false to prevent containers from gaining additional privileges

+1 -1 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
-       allowPrivilegeEscalation: true
+       allowPrivilegeEscalation: false

Dangerous Linux Capabilities Added CRITICAL

Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE and drop ALL instead

+4 -3 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
        capabilities:
-         add:
-           - SYS_ADMIN
-           - NET_ADMIN
+         drop:
+           - ALL
+         add:
+           - NET_BIND_SERVICE

Host Namespace Access Enabled CRITICAL

Disable host namespace access (hostNetwork, hostPID, hostIPC) to isolate pods from the host

+3 -2 yaml

  apiVersion: v1
  kind: Pod
  spec:
-   hostNetwork: true
-   hostPID: true
+   hostNetwork: false
+   hostPID: false
+   hostIPC: false
    containers:
    - name: app
      image: nginx:1.25

3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Execution with Unnecessary Privileges. 10 reguly.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=250

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (10)

📄 Yaml 8 rules

Privilege Escalation Allowed HIGH

Detects containers with privilege escalation explicitly enabled.

Dangerous Linux Capabilities Added CRITICAL

Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.

Host Namespace Access Enabled CRITICAL

Detects pods configured to access host namespaces (network, PID, or IPC).

Missing Capability Restrictions MEDIUM

Detects containers that do not drop unnecessary Linux capabilities.

Missing allowPrivilegeEscalation Setting MEDIUM

Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation.

Missing Container Security Context HIGH

Detects containers without securityContext configuration.

Privileged Container Detected CRITICAL

Detects containers running with privileged security context.

Container Running as Root User HIGH

Detects containers configured to run as root user (UID 0).

🐳 Dockerfile 2 rules

Container runs as root HIGH

Detects CMD or ENTRYPOINT without a preceding USER instruction. The container will run as root, which is a security risk.

Docker User and File Permissions HIGH

Detects explicit root user and overly permissive chmod 777 permissions.

4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Execution with Unnecessary Privileges. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟠

No USER instruction before CMD/ENTRYPOINT - container runs as root docker-missing-user

🟠

CMD or ENTRYPOINT without a preceding USER instruction docker-missing-user

🟠

Dockerfile contains ...: ... docker-user-permissions

🟠

explicit root user and overly permissive chmod 777 permissions docker-user-permissions

🟠

Container allows privilege escalation, which can enable attackers to gain additional privileges through exploits. kubernetes-allow-privilege-escalation

🟠

containers with privilege escalation explicitly enabled kubernetes-allow-privilege-escalation

🟠

Containers should run with security constraints defined in securityContext. kubernetes-missing-security-context

🟠

containers without securityContext configuration kubernetes-missing-security-context

🔍

Przeskanuj swój kod w poszukiwaniu Execution with Unnecessary Privileges

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły