4.8 Remove setuid and setgid permissions in the images

Information

Removing setuid and setgid permissions in the images would prevent privilege escalation
attacks in the containers.setuid and setgid permissions could be used for elevating privileges. While these
permissions are at times legitimately needed, these could potentially be used in privilege
escalation attacks. Thus, you should consider dropping these permissions for the packages
which do not need them within the images.

Solution

Allow setuid and setgid permissions only on executables which need them. You could
remove these permissions during build time by adding the following command in your
Dockerfile, preferably towards the end of the Dockerfile-RUN find / -perm +6000 -type f -exec chmod a-s {} ; || trueImpact-Above command breaks all the executables that depend on setuid or setgid permissions
including the legitimate ones. Hence, be careful to modify the command to suit your
requirements so that it does not drop the permissions of legitimate programs. This
requires a careful examination of each executable and fine tuning the permissions.Default Value-Not Applicable

See Also

https://workbench.cisecurity.org/files/517