Execution with Unnecessary Privileges (CWE-250)

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.

普遍性

高

频繁被利用

影响

关键

3 条严重级别为关键的规则

预防

已记录

10 个修复示例

2 预防

如何修复此漏洞

🐳 Docker 查看全部 Docker 详情 →

Container runs as root HIGH

Add a USER instruction before CMD/ENTRYPOINT to run as non-root

+2 -0 dockerfile

  FROM node:24-alpine
  WORKDIR /app
  COPY . .
  RUN npm ci
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ USER appuser
  CMD ["node", "server.js"]

Docker User and File Permissions HIGH

Use a non-root user and restrictive file permissions instead of USER root or chmod 777

+5 -3 dockerfile

  FROM node:24-alpine
- USER root
- RUN chmod 777 /app
- COPY . /app
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ WORKDIR /app
+ COPY --chown=appuser:appuser . .
+ RUN chmod 755 /app
+ USER appuser
  CMD ["node", "server.js"]

☸️ Kubernetes 查看全部 Kubernetes 详情 →

Privilege Escalation Allowed HIGH

Set allowPrivilegeEscalation: false to prevent containers from gaining additional privileges

+1 -1 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
-       allowPrivilegeEscalation: true
+       allowPrivilegeEscalation: false

Dangerous Linux Capabilities Added CRITICAL

Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE and drop ALL instead

+4 -3 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
        capabilities:
-         add:
-           - SYS_ADMIN
-           - NET_ADMIN
+         drop:
+           - ALL
+         add:
+           - NET_BIND_SERVICE

Host Namespace Access Enabled CRITICAL

Disable host namespace access (hostNetwork, hostPID, hostIPC) to isolate pods from the host

+3 -2 yaml

  apiVersion: v1
  kind: Pod
  spec:
-   hostNetwork: true
-   hostPID: true
+   hostNetwork: false
+   hostPID: false
+   hostIPC: false
    containers:
    - name: app
      image: nginx:1.25

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Execution with Unnecessary Privileges模式。 10 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=250

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (10)

📄 Yaml 8 rules

Privilege Escalation Allowed HIGH

Detects containers with privilege escalation explicitly enabled.

Dangerous Linux Capabilities Added CRITICAL

Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.

Host Namespace Access Enabled CRITICAL

Detects pods configured to access host namespaces (network, PID, or IPC).

Missing Capability Restrictions MEDIUM

Detects containers that do not drop unnecessary Linux capabilities.

Missing allowPrivilegeEscalation Setting MEDIUM

Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation.

Missing Container Security Context HIGH

Detects containers without securityContext configuration.

Privileged Container Detected CRITICAL

Detects containers running with privileged security context.

Container Running as Root User HIGH

Detects containers configured to run as root user (UID 0).

🐳 Dockerfile 2 rules

Container runs as root HIGH

Detects CMD or ENTRYPOINT without a preceding USER instruction. The container will run as root, which is a security risk.

Docker User and File Permissions HIGH

Detects explicit root user and overly permissive chmod 777 permissions.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Execution with Unnecessary Privileges漏洞。在代码审查和安全审计中注意查找。

🟠

No USER instruction before CMD/ENTRYPOINT - container runs as root docker-missing-user

🟠

CMD or ENTRYPOINT without a preceding USER instruction docker-missing-user

🟠

Dockerfile contains ...: ... docker-user-permissions

🟠

explicit root user and overly permissive chmod 777 permissions docker-user-permissions

🟠

Container allows privilege escalation, which can enable attackers to gain additional privileges through exploits. kubernetes-allow-privilege-escalation

🟠

containers with privilege escalation explicitly enabled kubernetes-allow-privilege-escalation

🟠

Containers should run with security constraints defined in securityContext. kubernetes-missing-security-context

🟠

containers without securityContext configuration kubernetes-missing-security-context

🔍

扫描你的代码库: Execution with Unnecessary Privileges

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则