5.24 Ensure that docker exec commands are not used with the user=root option

Information

You should not use docker exec with the --user=root option.

Rationale:

Using the --user=root option in a docker exec command, executes it within the container as the root user. This could potentially be insecure, particularly when you are running containers with reduced capabilities or enhanced restrictions.

For example, if your container is running as a tomcat user (or any other non-root user), it would be possible to run a command through docker exec as root with the --user=root option. This could potentially be dangerous.

Impact:

None.

Solution

You should not use the --user=root option in docker exec commands.

Default Value:

By default, the docker exec command runs without the --user option.

See Also

https://workbench.cisecurity.org/benchmarks/11818