bc1bb/OpenLink
1
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity Actions

Docker container runs as root due to missing USER directive and COMPOSER_ALLOW_SUPERUSER=1 #11

New issue
Open
opened 2026-05-14 20:30:49 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 20:30:49 +02:00
Copy link

Problem

The production Dockerfile uses php:8.2-apache-bullseye as its base and installs all dependencies and application files as root. No USER directive is present anywhere in the file. ENV COMPOSER_ALLOW_SUPERUSER 1 explicitly suppresses Composer's own warning about running as root, masking the issue.

Location

Dockerfile, line 15 (ENV COMPOSER_ALLOW_SUPERUSER 1) and line 35 (CMD ["apache2-foreground"]) — no USER directive present.

Risk

If an attacker achieves remote code execution via any future Symfony, PHP, or application-level vulnerability, the process runs with root privileges inside the container. This maximises blast radius: writing to any path, installing tools, reading all secrets mounted as files, and potentially escaping container boundaries if the Docker socket or privileged capabilities are exposed.

Suggested fix direction

Add a USER www-data directive before the CMD instruction. Apache already runs worker processes as www-data; making the master process unprivileged limits the damage from RCE. Ensure application files are readable by www-data and remove COMPOSER_ALLOW_SUPERUSER.

Severity

minor

Found by

Automated audit by Claude Code

## Problem The production Dockerfile uses `php:8.2-apache-bullseye` as its base and installs all dependencies and application files as root. No `USER` directive is present anywhere in the file. `ENV COMPOSER_ALLOW_SUPERUSER 1` explicitly suppresses Composer's own warning about running as root, masking the issue. ## Location `Dockerfile`, line 15 (`ENV COMPOSER_ALLOW_SUPERUSER 1`) and line 35 (`CMD ["apache2-foreground"]`) — no `USER` directive present. ## Risk If an attacker achieves remote code execution via any future Symfony, PHP, or application-level vulnerability, the process runs with root privileges inside the container. This maximises blast radius: writing to any path, installing tools, reading all secrets mounted as files, and potentially escaping container boundaries if the Docker socket or privileged capabilities are exposed. ## Suggested fix direction Add a `USER www-data` directive before the `CMD` instruction. Apache already runs worker processes as `www-data`; making the master process unprivileged limits the damage from RCE. Ensure application files are readable by `www-data` and remove `COMPOSER_ALLOW_SUPERUSER`. ## Severity minor ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
develop
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLink#11
No description provided.