'chpasswd' is used to set or remove passwords
Description
This policy is looking for instances where 'chpasswd' is used in dockerfiles. 'chpasswd' is a command that changes the password of a user in Linux OS. Insecure usage of this command can lead to potential security risks. Usually, this command is used to set or remove passwords in Docker containers.
If attackers gain access to these containers, they could easily change passwords, escalate their privileges, or gain unauthorized access to sensitive information. Consequently, this could lead to system compromise or data breach. Therefore, it's crucial to avoid using 'chpasswd' in Docker containers to maintain secure environments.
Remediation
Docker
- Resource: Dockerfile
- Arguments: RUN
To fix this issue, do not use the `chpasswd` command to set or remove passwords in your Docker scripts. You should use other secure methods to handle authentication in your Docker containers as 'chpasswd' can expose sensitive data and it's not considered a secure practice.
[source, Dockerfile]
RUN adduser --disabled-password --gecos "" user
In the fixed code, we're using `adduser --disabled-password` which is a more secure way to add a user without a password. For instance, Docker might handle interaction with your application, this way you ensure the Docker container is running with the proper permissions, reducing the risk of a potential breach. It's a more secure practice as it avoids hardcoding the password in the Dockerfile. This method doesn't expose sensitive data, thus following the best security practice.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0861 |
| Severity | MEDIUM |
| IaC Type | dockerfile |
| Frameworks | Docker |
| Checkov ID | CKV2_DOCKER_17 |