# COMPOSE-SEC-011: Missing no-new-privileges Security Option > **Severity:** MEDIUM | **CWE:** CWE-732 - **Language:** Docker Compose - **Category:** Security - **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-011 - **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-011 --project .` ## Description This rule detects docker-compose services that do not set the `no-new-privileges:true` security option. This option prevents processes in the container from gaining additional privileges through setuid or setgid binaries, which can be used for privilege escalation attacks. ## Vulnerable Code ```python version: '3' services: web: image: nginx # Missing no-new-privileges - VULNERABLE # Attacker can exploit setuid binaries user: www-data ``` ## Secure Code ```python version: '3' services: web: image: nginx user: www-data security_opt: - no-new-privileges:true # SECURE # Process cannot gain additional privileges ``` ## Detection Rule (Python SDK) ```python from rules.container_decorators import compose_rule from rules.container_matchers import service_missing @compose_rule( id="COMPOSE-SEC-011", name="Missing no-new-privileges Security Option", severity="MEDIUM", cwe="CWE-732", category="security", tags="docker-compose,compose,no-new-privileges,security,setuid,privilege-escalation,hardening,capabilities", message="Service does not have 'no-new-privileges:true' in security_opt. This allows " "processes to gain additional privileges via setuid/setgid binaries, which can be " "exploited for privilege escalation attacks." ) def no_new_privileges(): """ Detects services missing the no-new-privileges security option. This check looks for services that either: 1. Have no security_opt defined 2. Have security_opt but don't include no-new-privileges:true """ return service_missing( key="security_opt", value_contains="no-new-privileges:true" ) ``` ## How to Fix - Review your Dockerfile to address the missing no-new-privileges security option issue - Follow Docker official best practices for image building - Use docker build --check to validate Dockerfile syntax and best practices ## Security Implications - **Setuid Binary Exploitation:** Exploit setuid/setgid binaries to escalate from a low-privilege user to root within the container. - **Capability Escalation:** Use setuid binaries to acquire additional Linux capabilities that can be used for container escape. - **Binary Injection:** Replace legitimate setuid binaries with malicious versions that grant root access to attackers. Real-world attack scenario: ```bash # Attacker gains shell as www-data user # Container has sudo with setuid bit ls -la /usr/bin/sudo -rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo # Without no-new-privileges, attacker can escalate /usr/bin/sudo /bin/bash # Now root in container ``` ## FAQ **Q: Why does this rule flag missing no-new-privileges security option?** Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation. **Q: How do I fix this?** Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml. ## References - [CWE-732: Incorrect Permission Assignment for Critical Resource](https://cwe.mitre.org/data/definitions/732.html) - [www.kernel.org](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) - [raesene.github.io](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) - [OWASP Docker Security Cheat Sheet#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag) - [OWASP A05:2021 - Security Misconfiguration](https://owasp.org/www-project-top-ten/) --- Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-011 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis