Make ES files inside Docker container world readable (#64274)

Running the Elasticsearch Docker image with a different GID is possible but trappy, since at present all the ES files are only readable by the user and group. This PR documents a Docker CLI flag that fixes this situation, by ensuring the container user is added to the default group (which is `root`, GID 0). I also added a test for this case, and refactored the Docker tests to use a builder pattern for constructing the `docker run` command. The existing code was becoming unwieldy and hard to change.
2025-04-24 15:17:30 -04:00 · 2020-10-30 13:26:44 +00:00 · 2020-10-30 13:26:44 +00:00 · a32a0986c3
commit a32a0986c3
parent 7492cc97e5
7 changed files with 203 additions and 118 deletions
--- a/distribution/docker/src/docker/Dockerfile
+++ b/distribution/docker/src/docker/Dockerfile
@ -274,10 +274,13 @@ COPY bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 # 2. Sync the user and group permissions of /etc/passwd
 # 3. Set correct permissions of the entrypoint
 # 4. Ensure that there are no files with setuid or setgid, in order to mitigate "stackclash" attacks.
-RUN find /usr/share/elasticsearch/jdk -type d -exec chmod 0755 '{}' \\; && \\
+# 5. Ensure all files are world-readable by default. It should be possible to
+#    examine the contents of the image under any UID:GID
+RUN find /usr/share/elasticsearch/jdk -type d -exec chmod 0755 {} + && \\
    chmod g=u /etc/passwd && \\
    chmod 0775 /usr/local/bin/docker-entrypoint.sh && \\
-    find / -xdev -perm -4000 -exec chmod ug-s {} +
+    find / -xdev -perm -4000 -exec chmod ug-s {} + && \\
+    find /usr/share/elasticsearch -type f -exec chmod o+r {} +

 EXPOSE 9200 9300