Docker’s COPY and ADD instructions support --chown and --chmod flags that control ownership and
write permissions for resources copied into the image. Misconfiguring these flags can enable privilege escalation within the container.
When files or directories are copied into a Docker image, assigning ownership to a non-root user through --chown allows that user to
modify critical container resources. Even without explicit write permissions, a file’s owner can always grant themselves write access by changing the
file’s permission bits.
This also violates the container immutability principle. Containers should produce the same behavior at every run, which requires their resources to remain unchanged during the container’s lifecycle.
If an attacker gains a foothold in the container as a non-root user, owning sensitive files allows them to modify those resources and manipulate the container’s expected behavior. This can cause service outages or aid in escalating privileges inside the container.
Do not assign ownership of sensitive resources to non-root users. Use --chown=root:root to keep ownership with root, and use
--chmod to grant the minimum permissions non-root users need to read or execute the file without being able to modify it.
FROM example RUN useradd example ADD --chown=example:example entrypoint.sh /usr/local/bin/entrypoint.sh # Noncompliant COPY --chown=example:example start.sh /app/start.sh # Noncompliant COPY --chown=example:example libcustom.so /usr/lib/libcustom.so # Noncompliant
FROM example ADD --chown=root:root --chmod=755 entrypoint.sh /usr/local/bin/entrypoint.sh COPY --chown=root:root --chmod=755 start.sh /app/start.sh COPY --chown=root:root --chmod=644 libcustom.so /usr/lib/libcustom.so