# DOCKER-SEC-001: Container Running as Root - Missing USER > **Severity:** HIGH | **CWE:** CWE-250 - **Language:** Docker - **Category:** Security - **URL:** https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-001 - **Detection:** `pathfinder scan --ruleset docker/DOCKER-SEC-001 --project .` ## Description This rule detects Dockerfiles that do not specify a USER instruction, causing containers to run with root privileges by default. Running containers as root significantly increases the attack surface and potential impact of a container compromise. ## Vulnerable Code ```python FROM ubuntu:22.04 # No USER instruction - container runs as root RUN apt-get update && apt-get install -y nginx COPY app /app CMD ["nginx", "-g", "daemon off;"] ``` ## Secure Code ```python FROM ubuntu:22.04 # Create non-root user with specific UID/GID RUN groupadd -r appuser -g 999 && \ useradd -r -u 999 -g appuser appuser # Install dependencies as root RUN apt-get update && apt-get install -y nginx # Switch to non-root user USER appuser # Copy application files (now owned by appuser) COPY --chown=appuser:appuser app /app CMD ["nginx", "-g", "daemon off;"] ``` ## Detection Rule (Python SDK) ```python from codepathfinder.container_decorators import dockerfile_rule from codepathfinder.container_matchers import missing @dockerfile_rule( id="DOCKER-SEC-001", name="Container Running as Root - Missing USER", severity="HIGH", cwe="CWE-250", category="security", tags="docker,dockerfile,container,security,privilege-escalation,root,user,best-practice,hardening,principle-of-least-privilege", message="Dockerfile does not specify USER instruction. Container will run as root by default, which increases the attack surface if the container is compromised." ) def missing_user_instruction(): """ Detects Dockerfiles that do not specify a USER instruction. Running containers as root is a security risk because if an attacker gains access to the container, they have root privileges which can be used for privilege escalation or lateral movement. """ return missing(instruction="USER") ``` ## How to Fix - Add a USER instruction after installing packages to run as non-root - Create a dedicated user with useradd -r -s /bin/false appuser - Use multi-stage builds to install as root, then copy to a non-root final stage ## FAQ **Q: Why is running containers as root dangerous?** Root in a container maps to root on the host by default. If an attacker escapes the container, they have full host access. Running as non-root limits the blast radius of any compromise. **Q: What if my application needs root to bind to port 80?** Use a high port (e.g., 8080) and let the container runtime or reverse proxy handle port mapping. Alternatively, grant only CAP_NET_BIND_SERVICE capability. **Q: How do I fix file permission issues after adding USER?** Set ownership during the build with chown before switching to USER. For example: COPY --chown=appuser:appuser . /app ## References - [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html) - [NIST SP 800-190: Application Container Security Guide](https://csrc.nist.gov/publications) - [Docker Security Best Practices](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html) - [Principle of Least Privilege (PoLP)](https://csrc.nist.gov/glossary/term/least_privilege) --- Source: https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-001 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis