turbot/docker_compliance
GitHub
Loading controls...

Control: 5.24 Ensure that docker exec commands are not used with the user=root option

Description

You should not use docker exec with the --user=root option.

Using the --user=root option in a docker exec command, executes it within the container as the root user. This could potentially be insecure, particularly when you are running containers with reduced capabilities or enhanced restrictions.

For example, if your container is running as a tomcat user (or any other non-root user), it would be possible to run a command through docker exec as root with the --user=root option. This could potentially be dangerous.

Remediation

You should not use the --user=root option in docker exec commands.

Default Value

By default, the docker exec command runs without the --user option.

Usage

Run the control in your terminal:

steampipe check docker_compliance.control.cis_v160_5_24

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share docker_compliance.control.cis_v160_5_24

SQL

This control uses a named query:

exec_docker_exec_command_no_user_root_option

Tags