Rule Information
Tags
docker-composecomposeno-new-privilegessecuritysetuidprivilege-escalationhardeningcapabilities
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker-compose/COMPOSE-SEC-011 --project .1
2
3
4
5
6
7
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
About This Rule
Understanding the vulnerability and how it is detected
This rule detects docker-compose services that do not set the `no-new-privileges:true` security option. This option prevents processes in the container from gaining additional privileges through setuid or setgid binaries, which can be used for privilege escalation attacks.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Setuid Binary Exploitation
Exploit setuid/setgid binaries to escalate from a low-privilege user to root within the container.
2
Capability Escalation
Use setuid binaries to acquire additional Linux capabilities that can be used for container escape.
3
Binary Injection
Replace legitimate setuid binaries with malicious versions that grant root access to attackers. Real-world attack scenario: ```bash # Attacker gains shell as www-data user # Container has sudo with setuid bit ls -la /usr/bin/sudo -rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo # Without no-new-privileges, attacker can escalate /usr/bin/sudo /bin/bash # Now root in container ```
How to Fix
Recommended remediation steps
- 1Review your Dockerfile to address the missing no-new-privileges security option issue
- 2Follow Docker official best practices for image building
- 3Use docker build --check to validate Dockerfile syntax and best practices
References
External resources and documentation
Similar Rules
Explore related security rules for Docker Compose
LOW
Container Filesystem is Writable
Service has writable root filesystem. Consider making it read-only for better security.
MEDIUM
Using Host IPC Mode
Service uses host IPC namespace. Container shares inter-process communication with host.
MEDIUM
SELinux Separation Disabled
Service has label:disable in security_opt, which disables SELinux mandatory access control. This removes an important defense-in-depth layer for container isolation.
Frequently Asked Questions
Common questions about Missing no-new-privileges Security Option
Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.
New feature
Get these findings posted directly on your GitHub pull requests
The Missing no-new-privileges Security Option rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.