Merge pull request #143 from influxdata/chore/rebuild-sinker-to-addre…

…ss-jan-2024-glibc-updates-for-debian-bookworm chore: rebuild sinker to address jan-2024 glibc updates for debian bookworm
influxdata · May 15, 2024 · f4bc2ff · f4bc2ff
2 parents 3712f0c + 73f29d6
commit f4bc2ff
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -18,12 +18,19 @@ RUN cargo build --release --bin sinker
 # We do not need the Rust toolchain to run the binary!
 FROM debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 
+# Update the system and install necessary packages
 RUN apt update \
     && apt install --yes ca-certificates libssl3 --no-install-recommends \
-    && rm -rf /var/lib/{apt,dpkg,cache,log} \
-    && groupadd --gid 1500 sinker \
+    && rm -rf /var/lib/{apt,dpkg,cache,log}
+
+# Remove setuid/setgid bits from executables as a hardening measure so non-root processes can't escalate.
+RUN find / \( -path /dev -o -path /proc -o -path /sys \) -prune -o -type f \( -perm -4000 -o -perm -2000 \) -exec chmod a-s {} \;
+
+# Create a dedicated user and group for the application
+RUN groupadd --gid 1500 sinker \
     && useradd --uid 1500 --gid sinker --shell /bin/bash --create-home sinker
 
+
 USER sinker
 
 WORKDIR app