Skip to content

[SECURITY] Remove sudo NOPASSWD from sandbox Dockerfile #133

New issue
New issue
Open
Open
[SECURITY] Remove sudo NOPASSWD from sandbox Dockerfile#133
@bobbyhyam

Description

@bobbyhyam
bobbyhyam
opened on Jan 25, 2026

Summary

This issue was identified by an automated security audit run by Claude.

Severity: CRITICAL (P0)

Description

The sandbox Dockerfile grants the user account passwordless sudo access, allowing any code running in the sandbox to execute commands as root without authentication.

Location: sandbox/docker/Dockerfile (lines 60-63)

RUN useradd -m -s /bin/bash -u 1000 user && \
    echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
    usermod -aG docker user && \
    chown -R user:user /home/user

Attack Scenario

Any code executed in the sandbox can immediately escalate to root:

# User runs in sandbox:
sudo su -
# Now has root access with no password required

Remediation

Remove the sudoers line from the Dockerfile:

RUN useradd -m -s /bin/bash -u 1000 user && \
    # REMOVE: echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
    chown -R user:user /home/user

If sudo is needed for specific operations, use a more restrictive sudoers configuration that only allows specific commands.

Risk if Unfixed

Immediate root access within the sandbox container for any user-submitted code.

🤖 This issue was identified by an automated security audit run by Claude.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions