Tighten up write permissions in Docker image #70635
Conversation
Recursively remove write access from the `bin`, `jdk`, `lib` and `modules` directories, since this access is not required, and removing it makes it harder to exploit other issues in an ES distribution.
pugnascotia
added
>enhancement
:Delivery/Packaging
|
Pinging @elastic/es-delivery (Team:Delivery) |
|
Instead of giving the entire ES install permissions and then restricting a fixed set from write permissions, can we instead explicitly give write permissions to the dirs that actually need it? Otherwise any additions (or even renames) of these directories in the future would need corresponding changes here which would be easy to miss. |
This seems reasonable. How difficult would this be? |
|
I pushed a change so that all permissions are explicitly set under |
|
I was thinking more about keeping the original permissions, and just changing the owner so it is root like rpm/deb have. |
|
@rjernst see what you think of the latest changes. |
| ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts | ||
| ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts && \\ | ||
| chmod 0755 /usr/share/elasticsearch && \\ | ||
| chgrp 1000 bin && \\ |
There was a problem hiding this comment.
Why does bin need to be group owned by the running user? The files all are o+rx right?
| ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts && \\ | ||
| chmod 0755 /usr/share/elasticsearch && \\ | ||
| chgrp 1000 bin && \\ | ||
| chgrp -R 1000 config data logs plugins |
There was a problem hiding this comment.
Why does the plugins dir need to be grouped for the running user?
| public static final Set<PosixFilePermission> p755 = fromString("rwxr-xr-x"); | ||
| public static final Set<PosixFilePermission> p750 = fromString("rwxr-x---"); | ||
| public static final Set<PosixFilePermission> p660 = fromString("rw-rw----"); | ||
| public static final Set<PosixFilePermission> p444 = fromString("r--r--r--"); |
|
I realised that I had changed the image to use a default group of Instead, the image still uses group |
|
I went back over these changes again, and basically tried to lock things down as much as possible, while making it possible to install plugins without jumping through ridiculous hoops. See what you think. |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
| find . -type d -exec chmod 0555 {} + && \\ | ||
| find . -type f -exec chmod 0444 {} + && \\ | ||
| chmod 0555 bin/* jdk/bin/* jdk/lib/jspawnhelper modules/x-pack-ml/platform/linux-\$(arch)/bin/* && \\ | ||
| chmod 0775 config config/jvm.options.d data logs plugins && \\ |
There was a problem hiding this comment.
Including plugins here seems problematic. They are code, and should therefore not be writeable by the user that runs elasticsearch.
There was a problem hiding this comment.
I remember we discussed the plugins a while ago in #69533. Being able to install a plugin while running Elasticsearch as a non-root user (FWIW: ideally without the need to --group-add 0) is vital for Cloud deployments.
| find . -type f -exec chmod o+r {} + | ||
| find . -type d -exec chmod 0555 {} + && \\ | ||
| find . -type f -exec chmod 0444 {} + && \\ | ||
| chmod 0555 bin/* jdk/bin/* jdk/lib/jspawnhelper modules/x-pack-ml/platform/linux-\$(arch)/bin/* && \\ |
There was a problem hiding this comment.
The correct files already are executable in the original archive that is extracted. Why was the executable bit removed in the first place? Seems like we should just keep it as it was, instead of trying to reform what is executable here.
| @@ -287,8 +285,7 @@ RUN ${package_manager} update --setopt=tsflags=nodocs -y && \\ | |||
|
|
|||
| RUN groupadd -g 1000 elasticsearch && \\ | |||
| adduser -u 1000 -g 1000 -G 0 -d /usr/share/elasticsearch elasticsearch && \\ | |||
| chmod 0775 /usr/share/elasticsearch && \\ | |||
| chown -R 1000:0 /usr/share/elasticsearch | |||
| chown -R 0:0 /usr/share/elasticsearch | |||
There was a problem hiding this comment.
The rpm/deb packages setup ownership so that the group is the elasticsearch user, which is readable but not writable. Can we just keep the original permissions defined in the distribution and fix the ownership?
| @@ -147,7 +147,7 @@ public void test041AmazonCaCertsAreInTheKeystore() { | |||
| public void test042KeystorePermissionsAreCorrect() throws Exception { | |||
| waitForElasticsearch(installation); | |||
|
|
|||
| assertPermissionsAndOwnership(installation.config("elasticsearch.keystore"), p660); | |||
| assertPermissionsAndOwnership(installation.config("elasticsearch.keystore"), "elasticsearch", "root", p660); | |||
There was a problem hiding this comment.
This seems backwards. Shouldn't the group be elasticsearch and the owner be root?
There was a problem hiding this comment.
The startup process creates this if necessary at startup, so it has to be elasticsearch:root.
…rms-in-docker-image
|
I've picked up this work again, and I've been scratching my head over what we're trying to do and what are the constraints. I think it would helpful to lay these out:
To sum up, I'm don't believe reusing the archive permissions is desirable. What I've tried to do here is use Plugins complicate the picture, because not only does the executing user need write access to |
…mage' into restrict-write-perms-in-docker-image
…rms-in-docker-image
|
Hi @pugnascotia, I've created a changelog YAML for you. |
Explicitly set permissions for all files in the Elasticsearch home directory to the minimum required set, and change ownership to `root:root` where possible.
|
Backported to |
This reverts commit c04dc4c.
|
FYI, I've reverted the backport to |
This re-applies commit 8effc56.
|
Bah, sorry about that. New backport in #76006. FWIW, I did run the |
Recursively remove write access from the
bin,jdk,libandmodulesdirectories, since this access is not required, and removingit makes it harder to exploit other issues in an ES distribution.