Docker User and Permission Check

Analyze Docker configurations for user, ownership, and permission issues in PHP containers.

Permission Check Patterns

Detection Patterns

1. USER Instruction Present

# INSECURE: No USER instruction (runs as root PID 1)
FROM php:8.4-fpm-alpine
COPY . /var/www/
CMD ["php-fpm"]

# SECURE: Non-root user defined
FROM php:8.4-fpm-alpine
RUN addgroup -g 1000 -S appgroup \
    && adduser -u 1000 -S appuser -G appgroup
USER appuser
CMD ["php-fpm"]

2. Correct UID/GID Convention

# Alpine: addgroup / adduser (BusyBox)
RUN addgroup -g 1000 -S appgroup \
    && adduser -u 1000 -S appuser -G appgroup -h /var/www -s /sbin/nologin

# Debian: groupadd / useradd (shadow)
RUN groupadd -g 1000 appgroup \
    && useradd -u 1000 -g appgroup -d /var/www -s /usr/sbin/nologin -M appuser

3. File Ownership After COPY

# INSECURE: Files owned by root after COPY
COPY . /var/www/

# SECURE: Set ownership during COPY
COPY --chown=appuser:appgroup . /var/www/

# SECURE: Set ownership in multi-stage
COPY --from=builder --chown=appuser:appgroup /app/vendor /var/www/vendor

4. No chmod 777

# INSECURE: World-writable permissions
RUN chmod -R 777 /var/www/var

# SECURE: Minimal permissions
RUN mkdir -p /var/www/var/cache /var/www/var/log \
    && chown -R appuser:appgroup /var/www/var \
    && chmod -R 755 /var/www/var

5. Volume Permissions

# PROBLEM: Host UID doesn't match container UID
services:
  php-fpm:
    volumes:
      - ./src:/var/www/src          # May cause permission issues

# SOLUTION: Read-only bind mounts + named volumes
services:
  php-fpm:
    user: "1000:1000"
    volumes:
      - ./src:/var/www/src:ro       # Read-only (no permission issues)
      - cache:/var/www/var/cache    # Named volume
      - logs:/var/www/var/log       # Named volume

6. Read-Only Filesystem Compatibility

services:
  php-fpm:
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
      - /var/run:noexec,nosuid,size=1m
    volumes:
      - cache:/var/www/var/cache
      - logs:/var/www/var/log

User Creation: Alpine vs Debian

# Alpine (BusyBox): -g GID -S system -u UID -G group -h home -s shell
RUN addgroup -g 1000 -S appgroup \
    && adduser -u 1000 -S appuser -G appgroup -h /var/www -s /sbin/nologin

# Debian (shadow): -g GID/group -u UID -d home -s shell -M no home dir
RUN groupadd -g 1000 appgroup \
    && useradd -u 1000 -g appgroup -d /var/www -s /usr/sbin/nologin -M appuser

# Using existing www-data (UID 82 on Alpine, 33 on Debian)
USER www-data

Grep Patterns

# USER instruction
Grep: "^USER " --glob "**/Dockerfile*"

# User creation commands
Grep: "adduser|useradd|addgroup|groupadd" --glob "**/Dockerfile*"

# COPY without --chown
Grep: "^COPY(?!.*--chown)" --glob "**/Dockerfile*"

# Overly permissive chmod
Grep: "chmod.*(777|666|a\+[rw])" --glob "**/Dockerfile*"

# chown commands
Grep: "chown" --glob "**/Dockerfile*"

# Read-only filesystem
Grep: "read_only:" --glob "**/docker-compose*.yml"

# tmpfs mounts
Grep: "tmpfs:" --glob "**/docker-compose*.yml"

Severity Classification

Output Format

### Permission Issue: [Check Name]

**Severity:** Critical/High/Medium/Low
**File:** `<file_path>:<line>`
**Check:** USER / Ownership / chmod / Volume / Read-only FS

**Detection:**
[How the issue was identified]

**Risk:**
[Security or operational impact]

**Current:**
```dockerfile
// Current configuration

Remediation:

// Secure configuration

Platform Notes:

• Alpine: [Alpine-specific instructions]
• Debian: [Debian-specific instructions]