Dangerous Defaults

Rooting for Trouble: Unmasking the Perils of Root Access in Containers!

"Unmasking Risks: Running containers as root exposes host files! 🛑 Learn why it's a bad idea with a simple example. #ContainerSecurity #DevOps"

Albert Heinle
Written by
Albert Heinle
“You look like my next mistake“ – Taylor Swift

At CoGuard, we have the strict rule of dockerfile_last_user_should_be_non_root. This is a very common vulnerability identified by CoGuard. It is so common because most Docker containers run as root by default you might think that we're being a little over zealous in our identification of this risk. Below is aa simple code example where we demonstrate the exploit-ability of last user of a container as root:

➜  mkdir foo # Create a temporary directory
➜  echo "bar" > foo/tst.txt #create a file which we want to protect later
➜  cd foo 
➜  ls
tst.txt
➜ sudo chown root:root tst.txt # Set the owner as root
➜  ls -lah # verify change
total 4.0K
drwxr-xr-x  2 aheinle aheinle  60 Nov 20 12:37 .
drwxrwxrwt 24 root    root    700 Nov 20 12:37 ..
-rw-r--r--  1 root    root      4 Nov 20 12:37 tst.txt
➜  cat tst.txt # We can still read it
bar
➜  sudo chmod 0400 tst.txt # Set it that only owner (i.e. root) can read
➜  ls -lah tst.txt # verify
-r-------- 1 root root 4 Nov 20 12:37 tst.txt
➜  cat tst.txt # verify that we have a permission denied now
cat: tst.txt: Permission denied
➜  cd ..          
➜  docker run -v /tmp/foo/:/tmp/foo -it ubuntu bash # run plain ubuntu, mounted the foo folder
root@964d8945a786:/# cd /tmp/
root@964d8945a786:/tmp# ls #verifying that foo was mounted properly
foo
root@964d8945a786:/tmp# cd foo/ 
root@964d8945a786:/tmp/foo# ls #listing and seeing that the file is there
tst.txt
root@964d8945a786:/tmp/foo# cat tst.txt # Reading the file
bar

If you have a file system mounted into the Docker container, the container’s root allows you to read host’s protected files as root. And you really don’t want that.

At CoGuard, we know that if you use containers you need to pay attention to version, correct use and configuration of the container and software running inside. We are focused on identifying risks associated with the configuration of modern software stacks including containers, cloud-native, and the applications running inside the containers. Developers are used to using code scanners and including libraries. IT/DevOps/Platform Engineering/Infrastructure typically handles the configuration. CoGuard provides automated tools that help identify the risk when new containers and applications are defined in IaC and deployed to the cloud. Get started today by understanding how your current cloud environments are configured. 

pip install coguard-cli
coguard cloud {aws,azure,gcp}

Photo credit Katelyn Greer on Unsplash

more resources

Similar Posts

View all resources
Cyber Security
The different flavours of Docker image security

This article focuses on outlining the difference between some of the common image security scanners out there, what they are scanning for, and what the major differences are.

DevOps Tips
Elevating the Standard: A Deeper Look into CoGuard

Configuration changes are just as risky as code changes. Here's our take on the tooling required to give configurations the same, rigorous quality assurance and testing as code and why it's necessary.

Cyber Security
Faster White-Box Penetration Testing Through Static Analysis of Configuration Files

The article discusses penetration testing – methods to identify and patch vulnerabilities in an organization's systems and how technology has evolved to make in depth white box penetration testing possible.

Explore a test environment

Try here Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out and explore a test environment to run infra audits on sample repositories of web applications and view select reports on CoGuard's interative dashboard today.

Book a Call
© 2021-2024 All rights reserved Heinle Solutions Inc.