Skip to main content
chmod 777/a+rwx sets world-writable permissions, a common ownership confusion workaround.

Description

This rule detects RUN instructions that use chmod 777, chmod a+rwx, mkdir -m 777, or similarly broad world-writable permissions on any path. Setting world-writable permissions is almost always a workaround for ownership confusion rather than an intentional security decision. Common causes:
  • The author does not know which user/group will run the process, so they open permissions to everyone.
  • A WORKDIR was created as root, but the app runs as a non-root user.
  • Files were COPY’d without --chown and the author used chmod 777 instead of fixing ownership.
World-writable paths inside a container allow any process (including a compromised one) to modify files, inject content, or corrupt data. This matters especially for state directories (/data, /var/lib/*, /var/log/*, /var/cache/*, /var/run/*, /srv) that may back persistent volumes or host mounts. The fix is usually one of:
  • Set proper ownership with USER, COPY --chown, or RUN chown
  • Use group permissions (chmod g+w, chgrp 0 && chmod g=u) for OpenShift-style arbitrary-UID containers
  • Use tighter modes (755, 775) that don’t grant write to others

Patterns detected

Octal modes with others-write bit

Any octal mode where the last digit includes write (2, 3, 6, 7):
  • chmod 777 /path (read+write+execute for all)
  • chmod 666 /path (read+write for all)
  • chmod 776 /path (others read+write)
  • mkdir -m 777 /path
  • mkdir -pm 777 /path
  • mkdir --mode=777 /path

Symbolic modes granting others-write

  • chmod a+rwx /path (all: read+write+execute)
  • chmod o+w /path (others: write)
  • chmod +w /path (no who = all: write)
  • chmod a=rwx /path (assign all rwx)

Patterns NOT flagged

  • chmod 755, chmod 644, chmod 775, chmod 770 (no others-write)
  • chmod g+w, chmod g+rwx, chmod g=rwx (group only, not others)
  • chmod g=u (copy user permissions to group, an OpenShift pattern)
  • chmod u+x, chmod +x (execute only, no write)
  • chmod o+r, chmod o+x (read/execute only, no write)

OpenShift and arbitrary-UID containers

Valid OpenShift patterns use group-only permission changes (chgrp 0 && chmod g=u, chmod g+rwx, chmod 775) which do not set the others-write bit and therefore do not trigger this rule. chmod 777 is still flagged even when paired with chgrp, because it grants write to all users, not just the intended group. For OpenShift-compatible containers, prefer chgrp 0 /path && chmod g=u /path over chmod 777 /path.

Examples

Bad

Good

References

Configuration