Hi all!
I am reaching you because I am working with the following Elasticsearch image as base, and I would like to ask some questions about the following line of the Dockerfile.
The comments of the Dockerfile, regarding that line, said that this "ensure that there are no files with setuid or setgid, in order to mitigate "stackclash" attacks. We've already run this in previous layers so it ought to be a no-op". From what I can understand from here, is that this code, find / -xdev -perm -4000 -exec chmod ug-s {} + && \, should not do anything, as it is considered a no-op.
However, I have been doing some tests, using the following Dockerfile, where the images are taken from Red Hat catalog (using ubi8/ubi-minimal with elasticsearch 7.17.6 as source), and using the instructions from the Dockerfile referenced above:
FROM registry.connect.redhat.com/elastic/elasticsearch:7.17.6 as source
# Add mapper plugin
RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install mapper-size
RUN echo "indices.query.bool.max_clause_count: 2048" >> /usr/share/elasticsearch/config/elasticsearch.yml
FROM registry.access.redhat.com/ubi8/ubi-minimal
RUN microdnf update --setopt=tsflags=nodocs -y && \
microdnf install --setopt=tsflags=nodocs -y nc shadow-utils zip unzip findutils procps-ng && \
microdnf clean all
RUN groupadd -g 1000 elasticsearch && \
adduser -u 1000 -g 1000 -G 0 -d /usr/share/elasticsearch elasticsearch && \
chmod 0755 /usr/share/elasticsearch && \
chown -R 0:0 /usr/share/elasticsearch
ENV ELASTIC_CONTAINER true
WORKDIR /usr/share/elasticsearch
COPY --from=source --chown=0:0 /usr/share/elasticsearch /usr/share/elasticsearch
COPY --from=source --chown=0:0 /bin/tini /bin/tini
ENV PATH /usr/share/elasticsearch/bin:$PATH
COPY --from=source /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod g=u /etc/passwd && \
chmod 0555 /usr/local/bin/docker-entrypoint.sh && \
find / -xdev -perm -4000 -exec chmod ug-s {} + && \
chmod 0775 /usr/share/elasticsearch && \
chown elasticsearch bin config config/jvm.options.d data logs plugins
RUN ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts
EXPOSE 9200 9300
RUN mkdir -p /licenses
COPY terms-and-conditions.pdf /licenses/terms-and-conditions.pdf
COPY --from=source /licenses/LICENSE /licenses/LICENSE
USER elasticsearch:root
ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
CMD ["eswrapper"]
And in this particular case (this also happens if using ubi8/ubi image, by the way), I can see that there are three packages, among the ones installed with microdnf, that have setuid permissions:
[root@f83a39b0d719 /]# ls /usr/bin/ | grep chage
chage
[root@f83a39b0d719 /]# ls /usr/bin/ | grep gpasswd
gpasswd
[root@f83a39b0d719 /]# ls /usr/bin/ | grep newgrp
newgrp
[root@f83a39b0d719 /]# find / -xdev -perm -4000
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
So, in the end, this results that, when we reach to the line I was commenting before, it is not a no-op; it really removes the setuid permissions to these three binaries.
I would like to ask you if this is expected, then this action is really needed and there should be a typo in the comments, since this is really a command that is doing something; or, in the other hand, if this should not be done.
Also, I would like to ask if these three binaries are really needed for Elasticsearch. My impression is that they come as extra-packages from the ones installed here, and may not be needed for the normal performance of the tool, since they're not used in the Dockerfile and I believe all permissions, groups, etc. are set up before running Elasticsearch.
Thank you for your support!
BR,
Ramón.