# COMPOSE-SEC-009: Using Host PID Mode

> **Severity:** HIGH | **CWE:** CWE-250

- **Language:** Docker Compose
- **Category:** Security
- **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-009
- **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-009 --project .`

## Description

This rule detects services using `pid: host`, which disables PID namespace
isolation. This allows the container to see and interact with ALL processes
running on the host system, including sending signals to them, viewing their
command lines, and potentially injecting code.

## Vulnerable Code

```python
services:
  monitor:
    image: monitoring-tool
    pid: host  # DANGEROUS - Can see and signal all host processes
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import compose_rule
from rules.container_matchers import service_has


@compose_rule(
    id="COMPOSE-SEC-009",
    name="Using Host PID Mode",
    severity="HIGH",
    cwe="CWE-250",
    category="security",
    tags="docker-compose,compose,pid,host-pid,security,isolation,namespace,process,information-disclosure",
    message="Service uses host PID namespace. Container can see and potentially signal host processes."
)
def host_pid_mode():
    """
    Detects services using host PID namespace.

    Sharing the host PID namespace allows the container to view all
    host processes, send signals to them, and access sensitive process
    information via /proc.
    """
    return service_has(
        key="pid",
        equals="host"
    )
```

## How to Fix

- Review your Dockerfile to address the using host pid mode issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## Security Implications

- **Signal Sending:** ```bash kill -9 <pid>  # Kill host processes (if permissions allow) killall -9 sshd  # DoS attack on SSH ```
- **Information Disclosure:** ```bash cat /proc/*/cmdline  # Read command lines (may contain secrets) cat /proc/*/environ  # Read environment variables ```

## FAQ

**Q: Why does this rule flag using host pid mode?**

Service uses host PID namespace. Container can see and potentially signal host processes.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html)
- [Docker PID Namespace Documentation](https://docs.docker.com/engine/security/#pid-mode)
- [CIS Docker Benchmark: Section 5.15](https://www.cisecurity.org/benchmark/docker)

---

Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-009
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis