Image should not have 'root' user
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | Docker, Kubernetes | PERMISSION |
Description
Containers most often do not need access to the host's root user. As there is no strong boundary between containers and other processes, the container root access could be used elsewhere.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
Escalation attacks. Root access to host. Running root privileged operation on the machine.
Remediation guidelines
Add a 'USER' statement to the Dockerfile with a value different than root or 0. If some commands need root privilege, the 'USER' can still be added at the end of the Dockerfile.