# DOCKER-AUD-003: Privileged Port Exposed

> **Severity:** MEDIUM | **CWE:** CWE-250

- **Language:** Docker
- **Category:** Audit
- **URL:** https://codepathfinder.dev/registry/docker/audit/DOCKER-AUD-003
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-AUD-003 --project .`

## Description

This rule detects EXPOSE instructions for ports below 1024 (privileged ports).
On Unix-like systems, binding to ports 1-1023 traditionally requires root privileges,
which conflicts with the security best practice of running containers as non-root users.
While this rule is informational (sometimes privileged ports are intentional), it
highlights a potential privilege escalation requirement.

## Vulnerable Code

```python
FROM ubuntu:22.04

RUN apt-get update && \
    apt-get install -y --no-install-recommends nginx && \
    rm -rf /var/lib/apt/lists/*

# Bad: Requires root to bind
EXPOSE 80

CMD ["nginx", "-g", "daemon off;"]
```

## Detection Rule (Python SDK)

```python
from codepathfinder.container_decorators import dockerfile_rule
from codepathfinder.container_matchers import instruction


@dockerfile_rule(
    id="DOCKER-AUD-003",
    name="Privileged Port Exposed",
    severity="MEDIUM",
    cwe="CWE-250",
    category="audit",
    tags="docker,dockerfile,port,expose,privileged,root,security,unix,networking,capabilities,best-practice",
    message="Exposing port below 1024 typically requires root privileges to bind. Consider using non-privileged ports (>1024) with port mapping or granting CAP_NET_BIND_SERVICE capability."
)
def privileged_port():
    """
    Detects exposure of privileged ports (1-1023).

    Binding to privileged ports requires root privileges or CAP_NET_BIND_SERVICE
    capability, which conflicts with running containers as non-root users.
    """
    return instruction(
        type="EXPOSE",
        port_less_than=1024
    )
```

## How to Fix

- Never run containers in privileged mode in production
- Use specific Linux capabilities (cap_add) instead of full privileges
- Use seccomp profiles to restrict system calls

## FAQ

**Q: What does privileged mode do?**

Privileged mode gives the container almost all capabilities of the host, including access to all devices. It effectively removes all container isolation.

**Q: What should I use instead of privileged mode?**

Identify the specific capability needed (e.g., SYS_PTRACE for debugging) and add only that with cap_add. This follows the principle of least privilege.

## References

- [Linux Capabilities: CAP_NET_BIND_SERVICE](https://man7.org/linux/man-pages/man7/capabilities.7.html)
- [CIS Docker Benchmark: Section 4.5](https://www.cisecurity.org/benchmark/docker)
- [OWASP Docker Security Cheat Sheet](https://owasp.org/www-project-top-ten/)
- [RFC 6335: Internet Assigned Numbers Authority (IANA)](https://www.rfc-editor.org/rfc/rfc6335)

---

Source: https://codepathfinder.dev/registry/docker/audit/DOCKER-AUD-003
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis