From c9b77f2af584753af743a1b39d360ba50d97b8cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Przemys=C5=82aw=20Hejman?= <przemyslaw.hejman@elastic.co>
Date: Thu, 6 Feb 2020 16:44:10 +0100
Subject: [PATCH] Remove suid bit from Docker image files to mitigate Stack
 Clash (#56826)

---
 .../docker_generator/templates/dockerfile.template.js          | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.js b/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.js
index 6ad34c439a233..5832d00162b20 100755
--- a/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.js
+++ b/src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.js
@@ -102,6 +102,9 @@ function generator({
   RUN chmod g+ws /usr/share/kibana && \\
       find /usr/share/kibana -gid 0 -and -not -perm /g+w -exec chmod g+w {} \\;
 
+  # Remove the suid bit everywhere to mitigate "Stack Clash"
+  RUN find / -xdev -perm -4000 -exec chmod u-s {} +
+
   # Provide a non-root user to run the process.
   RUN groupadd --gid 1000 kibana && \\
       useradd --uid 1000 --gid 1000 \\