[MEDIUM] Docker Container Running as Root User - Security Risk

[evmparser]

Bug description

The Dockerfile runs the KMS service as the root user inside the container. This violates the principle of least privilege and creates unnecessary security risks. If an attacker compromises the application, they would have root privileges within the container, making lateral movement and privilege escalation easier.

Severity: MEDIUM

Location: Dockerfile

To Reproduce

1. Open the Dockerfile in the repository
2. Notice there is no USER directive to switch to a non-root user
3. The application runs as root by default
4. Check running container: docker exec <container> whoami → returns "root"

Security implications:

• If application is compromised, attacker has root access in container
• Easier container escape if kernel vulnerabilities exist
• Violates Docker security best practices
• Fails security compliance checks (CIS Docker Benchmark)

Expected behavior

Docker containers should run as non-root users following security best practices:

Recommended Dockerfile changes:

# Current approach (insecure):
FROM rust:1.70
COPY . .
RUN cargo build --release
CMD ["./target/release/kms"]

# Recommended approach (secure):
FROM rust:1.70 AS builder
COPY . .
RUN cargo build --release

FROM debian:bookworm-slim
# Create non-root user
RUN groupadd -r kms && useradd -r -g kms kms

# Set up application directory
WORKDIR /app
COPY --from=builder /target/release/kms ./
RUN chown -R kms:kms /app

# Drop privileges
USER kms

# Run as non-root
CMD ["./kms"]

Key security improvements:

1. ✅ Create dedicated user/group for the application
2. ✅ Use multi-stage build to reduce image size
3. ✅ Switch to non-root user with USER directive
4. ✅ Set proper file ownership
5. ✅ Use minimal base image (debian-slim)

Suggested Fix

Implementation steps:

1. Add user creation in Dockerfile:

   RUN groupadd -r kmsuser && \
       useradd -r -g kmsuser -s /sbin/nologin kmsuser

2. Set proper ownership:

   RUN chown -R kmsuser:kmsuser /app

3. Switch to non-root user:

   USER kmsuser

4. If ports < 1024 are needed:

   # Add capability instead of running as root
   RUN setcap 'cap_net_bind_service=+ep' /app/kms

5. Add security context in Kubernetes/deployment:

   securityContext:
     runAsNonRoot: true
     runAsUser: 1000
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     capabilities:
       drop:
         - ALL

Additional Context

Security standards requiring non-root containers:

• CIS Docker Benchmark 4.1: "Create a user for the container"
• NIST SP 800-190: Application Container Security Guide
• Docker Security Best Practices
• Kubernetes Pod Security Standards: Restricted

Benefits of running as non-root:

1. Reduced attack surface - Limits what attacker can do if compromised
2. Defense in depth - Another security layer
3. Compliance - Meets security requirements
4. Container escape mitigation - Harder to exploit kernel vulnerabilities
5. Audit trail - Clearer separation of processes

Testing the fix:

# Build and run
docker build -t kms:secure .
docker run -d --name kms-test kms:secure

# Verify non-root
docker exec kms-test whoami  # Should NOT return "root"
docker exec kms-test id      # Should show UID != 0

References:

• CIS Docker Benchmark

• Docker Security Best Practices

• OWASP Docker Security Cheat Sheet

• Would you like to work on a fix? [y/n] Yes, can provide complete Dockerfile rewrite following all security best practices.