Skip to main content
chmod 777/a+rwx sets world-writable permissions, a common ownership confusion workaround.
PropertyValue
SeverityWarning
CategorySecurity
DefaultEnabled
Auto-fixSuggestion (octal modes only)

Description

This rule detects RUN instructions that use chmod 777, chmod a+rwx, mkdir -m 777, or similarly broad world-writable permissions on any path. Setting world-writable permissions is almost always a workaround for ownership confusion rather than an intentional security decision. Common causes:
  • The author does not know which user/group will run the process, so they open permissions to everyone.
  • A WORKDIR was created as root, but the app runs as a non-root user.
  • Files were COPY’d without --chown and the author used chmod 777 instead of fixing ownership.
World-writable paths inside a container allow any process (including a compromised one) to modify files, inject content, or corrupt data. This matters especially for state directories (/data, /var/lib/*, /var/log/*, /var/cache/*, /var/run/*, /srv) that may back persistent volumes or host mounts. The fix is usually one of:
  • Set proper ownership with USER, COPY --chown, or RUN chown
  • Use group permissions (chmod g+w, chgrp 0 && chmod g=u) for OpenShift-style arbitrary-UID containers
  • Use tighter modes (755, 775) that don’t grant write to others

Patterns detected

Octal modes with others-write bit

Any octal mode where the last digit includes write (2, 3, 6, 7):
  • chmod 777 /path (read+write+execute for all)
  • chmod 666 /path (read+write for all)
  • chmod 776 /path (others read+write)
  • mkdir -m 777 /path
  • mkdir -pm 777 /path
  • mkdir --mode=777 /path

Symbolic modes granting others-write

  • chmod a+rwx /path (all: read+write+execute)
  • chmod o+w /path (others: write)
  • chmod +w /path (no who = all: write)
  • chmod a=rwx /path (assign all rwx)

Patterns NOT flagged

  • chmod 755, chmod 644, chmod 775, chmod 770 (no others-write)
  • chmod g+w, chmod g+rwx, chmod g=rwx (group only, not others)
  • chmod g=u (copy user permissions to group, an OpenShift pattern)
  • chmod u+x, chmod +x (execute only, no write)
  • chmod o+r, chmod o+x (read/execute only, no write)

OpenShift and arbitrary-UID containers

Valid OpenShift patterns use group-only permission changes (chgrp 0 && chmod g=u, chmod g+rwx, chmod 775) which do not set the others-write bit and therefore do not trigger this rule. chmod 777 is still flagged even when paired with chgrp, because it grants write to all users, not just the intended group. For OpenShift-compatible containers, prefer chgrp 0 /path && chmod g=u /path over chmod 777 /path.
RuleRelationship
tally/stateful-root-runtimeComplementary. That rule flags root + state paths; this rule flags world-writable permissions on any path. Both can fire on the same Dockerfile.
tally/prefer-copy-chmodComplementary. That rule suggests merging COPY + RUN chmod into COPY —chmod; this rule flags the permission mode itself. Different concerns (structure vs security).
tally/copy-after-user-without-chownSame ownership confusion family. That rule detects missing —chown on COPY after USER; this rule detects chmod workarounds.

Examples

Bad

# World-writable state directory
FROM ubuntu:22.04
RUN mkdir -p /data && chmod 777 /data
CMD ["app"]

# World-writable app directory
FROM ubuntu:22.04
COPY app /app
RUN chmod a+rwx /app
USER appuser
CMD ["/app/server"]

# World-writable mkdir
FROM ubuntu:22.04
RUN mkdir -pm 777 /var/lib/myapp/logs

Good

# Proper ownership with USER and chown
FROM ubuntu:22.04
RUN useradd -r -u 1000 appuser
COPY --chown=appuser:appuser app /app
RUN chmod 755 /app
USER appuser
CMD ["/app/server"]

# OpenShift-style group permissions (suppressed by this rule)
FROM ubuntu:22.04
RUN mkdir -p /data && \
    chgrp 0 /data && \
    chmod g=u /data
USER 1001
CMD ["app"]

# Tight permissions without world-write
FROM ubuntu:22.04
RUN mkdir -p /data && chmod 775 /data
USER appuser
CMD ["app"]

References

Configuration

[rules.tally.world-writable-state-path-workaround]
severity = "warning"  # Options: "off", "error", "warning", "info", "style"