Description
This rule detectsRUN instructions that use chmod 777, chmod a+rwx,
mkdir -m 777, or similarly broad world-writable permissions on any path.
Setting world-writable permissions is almost always a workaround for
ownership confusion rather than an intentional security decision. Common
causes:
- The author does not know which user/group will run the process, so they open permissions to everyone.
- A
WORKDIRwas created as root, but the app runs as a non-root user. - Files were
COPY’d without--chownand the author usedchmod 777instead of fixing ownership.
/data, /var/lib/*,
/var/log/*, /var/cache/*, /var/run/*, /srv) that may back
persistent volumes or host mounts.
The fix is usually one of:
- Set proper ownership with
USER,COPY --chown, orRUN chown - Use group permissions (
chmod g+w,chgrp 0 && chmod g=u) for OpenShift-style arbitrary-UID containers - Use tighter modes (
755,775) that don’t grant write to others
Patterns detected
Octal modes with others-write bit
Any octal mode where the last digit includes write (2, 3, 6, 7):chmod 777 /path(read+write+execute for all)chmod 666 /path(read+write for all)chmod 776 /path(others read+write)mkdir -m 777 /pathmkdir -pm 777 /pathmkdir --mode=777 /path
Symbolic modes granting others-write
chmod a+rwx /path(all: read+write+execute)chmod o+w /path(others: write)chmod +w /path(no who = all: write)chmod a=rwx /path(assign all rwx)
Patterns NOT flagged
chmod 755,chmod 644,chmod 775,chmod 770(no others-write)chmod g+w,chmod g+rwx,chmod g=rwx(group only, not others)chmod g=u(copy user permissions to group, an OpenShift pattern)chmod u+x,chmod +x(execute only, no write)chmod o+r,chmod o+x(read/execute only, no write)
OpenShift and arbitrary-UID containers
Valid OpenShift patterns use group-only permission changes (chgrp 0 && chmod g=u,
chmod g+rwx, chmod 775) which do not set the others-write bit and therefore
do not trigger this rule. chmod 777 is still flagged even when paired with chgrp,
because it grants write to all users, not just the intended group.
For OpenShift-compatible containers, prefer chgrp 0 /path && chmod g=u /path
over chmod 777 /path.
Relationship to related rules
Examples
Bad
Good
References
- Dockerfile reference — USER
- Dockerfile reference — COPY —chown
- Red Hat — A Guide to OpenShift and UIDs
- Docker Blog — Understanding the Docker USER Instruction