Omitting the USER directive in a Dockerfile can lead to which security risk?

When you omit the USER directive in a Dockerfile, the container’s main process runs as the root user inside the container. This creates a security risk because root inside the container has unrestricted privileges within that container’s namespace. If the application has a vulnerability or if an attacker can exploit it, those root privileges can be used to tamper with files, install or modify software, bind to privileged ports, or take other privileged actions inside the container. That increases the potential damage and can raise the likelihood of privilege escalation, especially if container escape or host-interaction opportunities exist. To reduce this risk, explicitly specify a non-root user (and, if needed, a specific group) with the USER directive. In Kubernetes, you’d also apply runAsNonRoot and limit capabilities to further constrain what the process can do. This aligns the container’s privileges with the principle of least privilege. The other options aren’t correct because omitting the USER directive doesn’t prevent the container from starting, doesn’t make the image non-portable, and doesn’t automatically drop privileges. The default is to run as root inside the container unless a non-root user is specified.