Ownership of an executable has been assigned to a user other than root. More often than not, resource owners have write permissions and thus can edit the resource.

Write permissions enable malicious actors, who got a foothold on the container, to tamper with the executable and thus manipulate the container’s expected behavior.
Manipulating executables could disrupt services or aid in escalating privileges inside the container.

This breaches the container immutability principle as it facilitates container changes during its life. Immutability, a container best practice, allows for a more reliable and reproducible behavior of Docker containers.

Resource ownership is not required; executables can be assigned execute permissions using chmod if needed.

Ask Yourself Whether

• A non-root user has write permissions for the executable.

There is a risk if you answered yes to the question.

Recommended Secure Coding Practices

• Use --chmod to change executable permissions at build-time.
• Be mindful of the container immutability principle.

Sensitive Code Example

FROM example

RUN useradd exampleuser
# Sensitive
COPY --chown=exampleuser:exampleuser src.py dst.py

Compliant Solution

FROM example

COPY src.py dst.py

See

• Dockerfile reference - ADD instruction
• Dockerfile reference - COPY instruction
• MITRE, CWE-732 - Incorrect Permission Assignment for Critical Resource
• Google Cloud, Immutability - Best practices for operating containers