# DOCKER-SEC-007: Sudo Usage in Dockerfile

> **Severity:** MEDIUM | **CWE:** CWE-250

- **Language:** Docker
- **Category:** Security
- **URL:** https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-007
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-SEC-007 --project .`

## Description

This rule detects the use of 'sudo' in RUN instructions within a Dockerfile.
Using sudo in Docker containers is an anti-pattern that indicates confusion about
Docker's privilege model and can introduce security vulnerabilities.

## Vulnerable Code

```python
FROM ubuntu:latest

# Installing sudo (unnecessary and dangerous)
RUN apt-get update && apt-get install -y sudo

# Using sudo in RUN (redundant - already root)
RUN sudo apt-get install -y nginx

# Creating sudoers file (privilege escalation risk)
RUN echo "appuser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

USER appuser
# Now attacker with access can easily become root
CMD ["sudo", "/bin/bash"]
```

## Secure Code

```python
FROM ubuntu:latest

# Install packages without sudo (we're already root)
RUN apt-get update && apt-get install -y nginx \\
    && apt-get clean

# Create non-root user
RUN useradd -r -s /bin/false appuser

# Switch to non-root for runtime
USER appuser

# Run application as non-root
CMD ["nginx", "-g", "daemon off;"]
```

## Detection Rule (Python SDK)

```python
from codepathfinder.container_decorators import dockerfile_rule
from codepathfinder.container_matchers import instruction
from codepathfinder.container_combinators import any_of


@dockerfile_rule(
    id="DOCKER-SEC-007",
    name="Sudo Usage in Dockerfile",
    severity="MEDIUM",
    cwe="CWE-250",
    category="security",
    tags="docker,dockerfile,sudo,security,privilege-escalation,anti-pattern,best-practice,user,root,unnecessary",
    message="Dockerfile uses 'sudo' in RUN instructions. This is unnecessary during "
            "build (already root) and increases security risk if sudo remains in the "
            "final image. Use USER instruction for privilege changes instead."
)
def no_sudo_in_dockerfile():
    """
    Detects usage of sudo in RUN instructions.

    Matches patterns like:
    - RUN sudo apt-get install
    - RUN sudo -u user command
    - RUN sudo command

    """
    return any_of(
        instruction(type="RUN", contains="sudo "),
        instruction(type="RUN", regex=r"sudo\s+"),
        instruction(type="RUN", contains="sudo\n"),
        instruction(type="RUN", contains="sudo;"),
        instruction(type="RUN", contains="sudo&&"),
        instruction(type="RUN", contains="sudo||")
    )
```

## How to Fix

- Remove sudo from RUN instructions since Docker build runs as root by default
- Use the USER instruction to switch to non-root for the final image
- Do not install sudo in the final image to eliminate privilege escalation paths

## Security Implications

- **Unnecessary Complexity:** Docker containers already run commands as root by default during build time, making sudo redundant and confusing.
- **False Sense of Security:** Developers may assume sudo provides security isolation, when in reality it adds no protection in a container context.
- **Privilege Escalation Path:** If sudo is installed and configured in the final image, it provides an easy privilege escalation mechanism if an attacker gains access.
- **Attack Surface:** sudo binary itself has had security vulnerabilities (CVE-2021-3156 "Baron Samedit") that can be exploited if present in the container. WHY SUDO DOESN'T MAKE SENSE IN DOCKER:
```dockerfile
# WRONG: Redundant sudo during build (already root)
RUN sudo apt-get update # CORRECT: Just run the command (build runs as root)
RUN apt-get update # WRONG: Using sudo to run as different user
RUN sudo -u appuser /app/script.sh # CORRECT: Use USER instruction instead
USER appuser
RUN /app/script.sh
```

## FAQ

**Q: Why is sudo unnecessary in Dockerfile RUN instructions?**

Docker executes RUN instructions as root during build. Using sudo is redundant and indicates confusion about the Docker privilege model.

**Q: How do I run commands as a different user during build?**

Use the USER instruction to switch users, then subsequent RUN commands execute as that user. Switch back to root if needed for package installation.

## References

- [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html)
- [docs.docker.com](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)
- [Docker Security Best Practices](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
- [CVE-2021-3156 (sudo vulnerability)](https://nvd.nist.gov/vuln/detail/CVE-2021-3156)

---

Source: https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-007
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis