From b0ad37126c42d110a3fb0b0ae95e50491fbe0586 Mon Sep 17 00:00:00 2001 From: Rory Hunter Date: Thu, 13 Feb 2020 13:18:13 +0100 Subject: [PATCH] Remove setuid,setgid bits on all files in Docker image (#51851) This is to mitigate "stackclash" attacks. This is a a very small partial backport from #50277. --- distribution/docker/src/docker/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/distribution/docker/src/docker/Dockerfile b/distribution/docker/src/docker/Dockerfile index ef576f32dc5fa..9e04010a20b5b 100644 --- a/distribution/docker/src/docker/Dockerfile +++ b/distribution/docker/src/docker/Dockerfile @@ -67,6 +67,9 @@ ENV PATH /usr/share/elasticsearch/bin:\$PATH COPY --chown=1000:0 bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +# Ensure that there are no files with setuid or setgid, in order to mitigate "stackclash" attacks. +RUN find / -xdev -perm -4000 -exec chmod ug-s {} + + # Openshift overrides USER and uses ones with randomly uid>1024 and gid=0 # Allow ENTRYPOINT (and ES) to run even with a different user RUN chgrp 0 /usr/local/bin/docker-entrypoint.sh && \