# Execution with Unnecessary Privileges (CWE-250)

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

- Prevalence: High Frequently exploited
- Impact: Critical 3 critical-severity rules
- Prevention: Documented 10 fix examples

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.

## Prevention

### Docker

Add a USER instruction before CMD/ENTRYPOINT to run as non-root

Use a non-root user and restrictive file permissions instead of USER root or chmod 777

### Kubernetes

Set allowPrivilegeEscalation: false to prevent containers from gaining additional privileges

Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE and drop ALL instead

Disable host namespace access (hostNetwork, hostPID, hostIPC) to isolate pods from the host

## Warning Signs

- [HIGH] No USER instruction before CMD/ENTRYPOINT - container runs as root
- [HIGH] CMD or ENTRYPOINT without a preceding USER instruction
- [HIGH] Dockerfile contains ...: ...
- [HIGH] explicit root user and overly permissive chmod 777 permissions
- [HIGH] Container allows privilege escalation, which can enable attackers to gain additional privileges through exploits.
- [HIGH] containers with privilege escalation explicitly enabled
- [HIGH] Containers should run with security constraints defined in securityContext.
- [HIGH] containers without securityContext configuration

## Consequences

- Gain Privileges
- Execute Unauthorized Code
- Read Application Data
- Modify Application Data

## Mitigations

- Run your code using the lowest privileges that are required to accomplish the necessary tasks
- Identify the minimum access rights your component requires, and only grant it those rights
- Consider using a Just-In-Time (JIT) privilege model

## Detection

- Total rules: 10
- Critical: 3
- Languages: dockerfile, yaml

## Rules by Language

### Yaml (8 rules)

- **Privilege Escalation Allowed** [HIGH]: Detects containers with privilege escalation explicitly enabled.
  - Remediation: Disable privilege escalation in securityContext.

```yaml
securityContext:
  allowPrivilegeEscalation: false
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-250/privilege-escalation
- **Dangerous Linux Capabilities Added** [CRITICAL]: Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.
  - Remediation: Remove dangerous capabilities and drop ALL.

```yaml
securityContext:
  capabilities:
    drop: [ALL]
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-250/dangerous-capabilities
- **Host Namespace Access Enabled** [CRITICAL]: Detects pods configured to access host namespaces (network, PID, or IPC).
  - Remediation: Remove or disable host namespace access.

```yaml
spec:
  hostNetwork: false
  hostPID: false
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-250/host-access
- **Missing Capability Restrictions** [MEDIUM]: Detects containers that do not drop unnecessary Linux capabilities.
  - Remediation: Drop all capabilities in securityContext.

```yaml
securityContext:
  capabilities:
    drop: [ALL]
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-250/missing-drop-capabilities
- **Missing allowPrivilegeEscalation Setting** [MEDIUM]: Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation.
  - Remediation: Explicitly disable privilege escalation.

```yaml
securityContext:
  allowPrivilegeEscalation: false
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-250/missing-privilege-escalation-setting
- **Missing Container Security Context** [HIGH]: Detects containers without securityContext configuration.
  - Remediation: Add securityContext to containers.

```yaml
securityContext:
  runAsNonRoot: true
  allowPrivilegeEscalation: false
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-250/missing-security-context
- **Privileged Container Detected** [CRITICAL]: Detects containers running with privileged security context.
  - Remediation: Set privileged to false in the security context.

```yaml
securityContext:
  privileged: false
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-250/privileged-container
- **Container Running as Root User** [HIGH]: Detects containers configured to run as root user (UID 0).
  - Remediation: Set runAsUser to a non-root UID.

```yaml
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-250/root-user

### Dockerfile (2 rules)

- **Container runs as root** [HIGH]: Detects CMD or ENTRYPOINT without a preceding USER instruction.
The container will run as root, which is a security risk.
  - Remediation: Add a USER instruction before CMD/ENTRYPOINT to run as a non-root user.

```dockerfile
USER appuser
CMD ["node", "server.js"]
```

Learn more: https://shoulder.dev/learn/docker/cwe-250/missing-user
- **Docker User and File Permissions** [HIGH]: Detects explicit root user and overly permissive chmod 777 permissions.
  - Remediation: Use a non-root user and restrictive file permissions.

```dockerfile
RUN adduser -D appuser
USER appuser
```

Learn more: https://shoulder.dev/learn/docker/cwe-250/user-permissions