# COMPOSE-SEC-001: Service Running in Privileged Mode

> **Severity:** CRITICAL | **CWE:** CWE-250

- **Language:** Docker Compose
- **Category:** Security
- **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-001
- **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-001 --project .`

## Description

This rule detects docker-compose services configured with `privileged: true`.
Privileged mode disables almost all container security features, granting the
container nearly all capabilities of the host machine. This is equivalent to
running as root on the host and can lead to complete host compromise.

## Vulnerable Code

```python
version: '3.8'
services:
  # CRITICAL SECURITY ISSUE
  docker_runner:
    image: gitlab/gitlab-runner:latest
    privileged: true  # DANGEROUS!
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import compose_rule
from rules.container_matchers import service_has


@compose_rule(
    id="COMPOSE-SEC-001",
    name="Service Running in Privileged Mode",
    severity="CRITICAL",
    cwe="CWE-250",
    category="security",
    tags="docker-compose,compose,service,privileged,security,privilege-escalation,container-escape,capabilities,critical,host-access",
    message="Service is running in privileged mode. This grants container equivalent of root capabilities on the host machine. Can lead to container escapes and privilege escalation."
)
def privileged_service():
    """
    Detects services with privileged: true.

    Privileged mode disables almost all container isolation, giving
    the container nearly all capabilities of the host. This is extremely
    dangerous and should be avoided except in very rare circumstances.
    """
    return service_has(
        key="privileged",
        equals=True
    )
```

## How to Fix

- Never run containers in privileged mode in production
- Use specific Linux capabilities (cap_add) instead of full privileges
- Use seccomp profiles to restrict system calls

## FAQ

**Q: What does privileged mode do?**

Privileged mode gives the container almost all capabilities of the host, including access to all devices. It effectively removes all container isolation.

**Q: What should I use instead of privileged mode?**

Identify the specific capability needed (e.g., SYS_PTRACE for debugging) and add only that with cap_add. This follows the principle of least privilege.

## References

- [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html)
- [CIS Docker Benchmark: Section 5.4](https://www.cisecurity.org/benchmark/docker)
- [Docker Security Best Practices](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
- [Linux Capabilities man page](https://man7.org/linux/man-pages/man7/capabilities.7.html)
- [NIST SP 800-190: Container Security Guide](https://csrc.nist.gov/publications)

---

Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-001
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis