elasticsearch/distribution/docker/src/docker/Dockerfile - regarding the absence of files with setuid

Hi all!
I am reaching you because I am working with the following Elasticsearch image as base, and I would like to ask some questions about the following line of the Dockerfile.

The comments of the Dockerfile, regarding that line, said that this "ensure that there are no files with setuid or setgid, in order to mitigate "stackclash" attacks. We've already run this in previous layers so it ought to be a no-op". From what I can understand from here, is that this code, find / -xdev -perm -4000 -exec chmod ug-s {} + && \, should not do anything, as it is considered a no-op.

However, I have been doing some tests, using the following Dockerfile, where the images are taken from Red Hat catalog (using ubi8/ubi-minimal with elasticsearch 7.17.6 as source), and using the instructions from the Dockerfile referenced above:

FROM registry.connect.redhat.com/elastic/elasticsearch:7.17.6 as source

# Add mapper plugin
RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install mapper-size
RUN echo "indices.query.bool.max_clause_count: 2048" >> /usr/share/elasticsearch/config/elasticsearch.yml

FROM registry.access.redhat.com/ubi8/ubi-minimal

RUN microdnf update --setopt=tsflags=nodocs -y && \
    microdnf install --setopt=tsflags=nodocs -y nc shadow-utils zip unzip findutils procps-ng && \
    microdnf clean all

RUN groupadd -g 1000 elasticsearch && \
    adduser -u 1000 -g 1000 -G 0 -d /usr/share/elasticsearch elasticsearch && \
    chmod 0755 /usr/share/elasticsearch && \
    chown -R 0:0 /usr/share/elasticsearch


WORKDIR /usr/share/elasticsearch

COPY --from=source --chown=0:0 /usr/share/elasticsearch /usr/share/elasticsearch
COPY --from=source --chown=0:0 /bin/tini /bin/tini

ENV PATH /usr/share/elasticsearch/bin:$PATH

COPY --from=source /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh

RUN chmod g=u /etc/passwd && \
    chmod 0555 /usr/local/bin/docker-entrypoint.sh && \
    find / -xdev -perm -4000 -exec chmod ug-s {} + && \
    chmod 0775 /usr/share/elasticsearch && \
    chown elasticsearch bin config config/jvm.options.d data logs plugins

RUN ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts

EXPOSE 9200 9300

RUN mkdir -p /licenses

COPY terms-and-conditions.pdf /licenses/terms-and-conditions.pdf

COPY --from=source /licenses/LICENSE /licenses/LICENSE

USER elasticsearch:root

ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]

CMD ["eswrapper"]

And in this particular case (this also happens if using ubi8/ubi image, by the way), I can see that there are three packages, among the ones installed with microdnf, that have setuid permissions:

[root@f83a39b0d719 /]# ls /usr/bin/ | grep chage
[root@f83a39b0d719 /]# ls /usr/bin/ | grep gpasswd
[root@f83a39b0d719 /]# ls /usr/bin/ | grep newgrp
[root@f83a39b0d719 /]# find / -xdev -perm -4000

So, in the end, this results that, when we reach to the line I was commenting before, it is not a no-op; it really removes the setuid permissions to these three binaries.

I would like to ask you if this is expected, then this action is really needed and there should be a typo in the comments, since this is really a command that is doing something; or, in the other hand, if this should not be done.

Also, I would like to ask if these three binaries are really needed for Elasticsearch. My impression is that they come as extra-packages from the ones installed here, and may not be needed for the normal performance of the tool, since they're not used in the Dockerfile and I believe all permissions, groups, etc. are set up before running Elasticsearch.

Thank you for your support!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.