OpenSkillIndex← back to search
claude-code

Awesome-claude-code check-docker-user-permissions

Checks Docker user and permission configuration. Detects root execution, improper file ownership, and missing security constraints.

install
source · Clone the upstream repo
git clone https://github.com/dykyi-roman/awesome-claude-code
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/dykyi-roman/awesome-claude-code "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/check-docker-user-permissions" ~/.claude/skills/dykyi-roman-awesome-claude-code-check-docker-user-permissions && rm -rf "$T"
manifest: skills/check-docker-user-permissions/SKILL.md
source content

Docker User and Permission Check

Analyze Docker configurations for user, ownership, and permission issues in PHP containers.

Permission Check Patterns

CheckRiskDetection
No USER instructionRoot executionMissing 
USER
in Dockerfile
Wrong UID/GIDPermission conflictsNon-standard user IDs
COPY without --chownRoot-owned files
COPY
without ownership
chmod 777World-writable filesOverly permissive mode
Volume permission mismatchRead/write failuresHost vs container UID
Read-only FS incompatibilityRuntime crashesMissing tmpfs for writable dirs

Detection Patterns

1. USER Instruction Present

# INSECURE: No USER instruction (runs as root PID 1)
FROM php:8.4-fpm-alpine
COPY . /var/www/
CMD ["php-fpm"]

# SECURE: Non-root user defined
FROM php:8.4-fpm-alpine
RUN addgroup -g 1000 -S appgroup \
    && adduser -u 1000 -S appuser -G appgroup
USER appuser
CMD ["php-fpm"]

2. Correct UID/GID Convention

# Alpine: addgroup / adduser (BusyBox)
RUN addgroup -g 1000 -S appgroup \
    && adduser -u 1000 -S appuser -G appgroup -h /var/www -s /sbin/nologin

# Debian: groupadd / useradd (shadow)
RUN groupadd -g 1000 appgroup \
    && useradd -u 1000 -g appgroup -d /var/www -s /usr/sbin/nologin -M appuser

3. File Ownership After COPY

# INSECURE: Files owned by root after COPY
COPY . /var/www/

# SECURE: Set ownership during COPY
COPY --chown=appuser:appgroup . /var/www/

# SECURE: Set ownership in multi-stage
COPY --from=builder --chown=appuser:appgroup /app/vendor /var/www/vendor

4. No chmod 777

# INSECURE: World-writable permissions
RUN chmod -R 777 /var/www/var

# SECURE: Minimal permissions
RUN mkdir -p /var/www/var/cache /var/www/var/log \
    && chown -R appuser:appgroup /var/www/var \
    && chmod -R 755 /var/www/var

5. Volume Permissions

# PROBLEM: Host UID doesn't match container UID
services:
  php-fpm:
    volumes:
      - ./src:/var/www/src          # May cause permission issues

# SOLUTION: Read-only bind mounts + named volumes
services:
  php-fpm:
    user: "1000:1000"
    volumes:
      - ./src:/var/www/src:ro       # Read-only (no permission issues)
      - cache:/var/www/var/cache    # Named volume
      - logs:/var/www/var/log       # Named volume

6. Read-Only Filesystem Compatibility

services:
  php-fpm:
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
      - /var/run:noexec,nosuid,size=1m
    volumes:
      - cache:/var/www/var/cache
      - logs:/var/www/var/log

User Creation: Alpine vs Debian

# Alpine (BusyBox): -g GID -S system -u UID -G group -h home -s shell
RUN addgroup -g 1000 -S appgroup \
    && adduser -u 1000 -S appuser -G appgroup -h /var/www -s /sbin/nologin

# Debian (shadow): -g GID/group -u UID -d home -s shell -M no home dir
RUN groupadd -g 1000 appgroup \
    && useradd -u 1000 -g appgroup -d /var/www -s /usr/sbin/nologin -M appuser

# Using existing www-data (UID 82 on Alpine, 33 on Debian)
USER www-data

Grep Patterns

# USER instruction
Grep: "^USER " --glob "**/Dockerfile*"

# User creation commands
Grep: "adduser|useradd|addgroup|groupadd" --glob "**/Dockerfile*"

# COPY without --chown
Grep: "^COPY(?!.*--chown)" --glob "**/Dockerfile*"

# Overly permissive chmod
Grep: "chmod.*(777|666|a\+[rw])" --glob "**/Dockerfile*"

# chown commands
Grep: "chown" --glob "**/Dockerfile*"

# Read-only filesystem
Grep: "read_only:" --glob "**/docker-compose*.yml"

# tmpfs mounts
Grep: "tmpfs:" --glob "**/docker-compose*.yml"

Severity Classification

PatternSeverityImpact
No USER instruction (production)CriticalContainer runs as root
chmod 777 on application dirsHighAny process can modify files
COPY without --chown (with USER)HighFiles inaccessible to app user
System UID (< 1000) for app userMediumPotential privilege confusion
Volume mount without :roMediumUnnecessary write access
No read-only rootfsMediumFilesystem can be modified
Missing tmpfs for /tmpLowTemp files on persistent storage

Output Format

### Permission Issue: [Check Name]

**Severity:** Critical/High/Medium/Low
**File:** `<file_path>:<line>`
**Check:** USER / Ownership / chmod / Volume / Read-only FS

**Detection:**
[How the issue was identified]

**Risk:**
[Security or operational impact]

**Current:**
```dockerfile
// Current configuration

Remediation:

// Secure configuration

Platform Notes:

  • Alpine: [Alpine-specific instructions]
  • Debian: [Debian-specific instructions]