Summary
The Docker container runs nginx as root by default, increasing the attack surface if the container is compromised.
Location
Dockerfile (lines 28-45)
Description
The Dockerfile uses nginx:alpine as the base image without specifying a non-root user:
FROM nginx:alpine
# ... no USER directive
By default, nginx:alpine runs as root. If an attacker compromises the nginx process, they have root privileges within the container.
Impact
- Privilege Escalation: Compromised process has root access in container
- Container Breakout: Root access increases likelihood of container escape
- File System Access: Full read/write access to container filesystem
While container isolation provides some protection, running as non-root follows defense-in-depth principles.
Remediation
Option 1: Use nginx unprivileged image (recommended)
FROM nginxinc/nginx-unprivileged:alpine
# Runs as nginx user (UID 101) by default
Option 2: Add non-root user to existing Dockerfile
FROM nginx:alpine
# Create non-root user
RUN addgroup -g 101 -S nginx && \
adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx nginx
# Change ownership of necessary directories
RUN chown -R nginx:nginx /var/cache/nginx && \
chown -R nginx:nginx /var/log/nginx && \
chown -R nginx:nginx /etc/nginx/conf.d
USER nginxPriority
P3 (Low) - Defense-in-depth improvement
References
Summary
The Docker container runs nginx as root by default, increasing the attack surface if the container is compromised.
Location
Dockerfile(lines 28-45)Description
The Dockerfile uses
nginx:alpineas the base image without specifying a non-root user:By default, nginx:alpine runs as root. If an attacker compromises the nginx process, they have root privileges within the container.
Impact
While container isolation provides some protection, running as non-root follows defense-in-depth principles.
Remediation
Option 1: Use nginx unprivileged image (recommended)
Option 2: Add non-root user to existing Dockerfile
Priority
P3 (Low) - Defense-in-depth improvement
References