Container Running as Root - Missing USER

HIGH

Dockerfile does not specify USER instruction. Container will run as root by default, which increases the attack surface if the container is compromised.

Rule Information

Language
Docker
Category
Security
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
dockerdockerfilecontainersecurityprivilege-escalationrootuserbest-practicehardeningprinciple-of-least-privilege
CWE References
CWE-250

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-SEC-001 --project .
1
2
3
4
5
6
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

About This Rule

Understanding the vulnerability and how it is detected

This rule detects Dockerfiles that do not specify a USER instruction, causing containers to run with root privileges by default. Running containers as root significantly increases the attack surface and potential impact of a container compromise.

How to Fix

Recommended remediation steps

  • 1Add a USER instruction after installing packages to run as non-root
  • 2Create a dedicated user with useradd -r -s /bin/false appuser
  • 3Use multi-stage builds to install as root, then copy to a non-root final stage

References

External resources and documentation

CWE-250: Execution with Unnecessary PrivilegesNIST SP 800-190: Application Container Security GuideDocker Security Best PracticesPrinciple of Least Privilege (PoLP)

Similar Rules

Explore related security rules for Docker

MEDIUM

Sudo Usage in Dockerfile

Dockerfile uses sudo in RUN instructions. This is unnecessary during build (already root) and increases security risk if sudo remains in the final image. Use USER instruction for privilege changes instead.

CRITICAL

Secret in Build Argument

Build argument name suggests it contains a secret. ARG values are visible in image history via 'docker history'.

CRITICAL

Docker Socket Mounted as Volume

Dockerfile mounts Docker socket. This gives the container full control over the host Docker daemon, equivalent to root access.

Frequently Asked Questions

Common questions about Container Running as Root - Missing USER

Root in a container maps to root on the host by default. If an attacker escapes the container, they have full host access. Running as non-root limits the blast radius of any compromise.
Use a high port (e.g., 8080) and let the container runtime or reverse proxy handle port mapping. Alternatively, grant only CAP_NET_BIND_SERVICE capability.
Set ownership during the build with chown before switching to USER. For example: COPY --chown=appuser:appuser . /app

New feature

Get these findings posted directly on your GitHub pull requests

The Container Running as Root - Missing USER rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to SecurityAll Languages →