5.23 Do not docker exec commands with user option

Information

Do not docker exec with --user option.

Rationale:

Using --user option in docker exec executes the command within the container as that user. This could potentially be insecure and unsafe to do especially when you are running containers with dropped capabilities or with enhanced restrictions.

For example, suppose your container is running as tomcat user (or any other non-root user), it would be possible to run a command through docker exec as root with --user=root option. This could potentially be dangerous.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Do not use --useroption in docker exec command.

Impact:

None.

Default Value:

By default, docker exec command runs without --useroption.

See Also

https://workbench.cisecurity.org/files/1476