Remove suid bit from Docker image files to mitigate Stack Clash (#56826)

elastic · Feb 6, 2020 · c9b77f2 · c9b77f2
1 parent 9c46ce8
commit c9b77f2
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.js b/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.js
@@ -102,6 +102,9 @@ function generator({
   RUN chmod g+ws /usr/share/kibana && \\
       find /usr/share/kibana -gid 0 -and -not -perm /g+w -exec chmod g+w {} \\;
 
+  # Remove the suid bit everywhere to mitigate "Stack Clash"
+  RUN find / -xdev -perm -4000 -exec chmod u-s {} +
+
   # Provide a non-root user to run the process.
   RUN groupadd --gid 1000 kibana && \\
       useradd --uid 1000 --gid 1000 \\