Arize get rid of ebay dev/suid guid CVEs (gazette#17)

Arize-ai · Nov 7, 2023 · 1545ac3 · 1545ac3
1 parent 2c8515c
commit 1545ac3
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/mk/ci-release.Dockerfile b/mk/ci-release.Dockerfile
@@ -18,6 +18,10 @@ RUN apt-get update -y \
 COPY * /usr/local/bin/
 RUN mv /usr/local/bin/librocksdb.so* /usr/local/lib/ && ldconfig
 
+# Arize - remove a few base utilities flagged by security scans as having suid/sgid set.
+# Note: we did not see these bits set ourselves when deploying in our test cluster.
+RUN rm -f /usr/bin/mount /usr/bin/umount /usr/bin/su /usr/bin/wall
+
 # Run as non-privileged "gazette" user.
 RUN useradd gazette --create-home --shell /usr/sbin/nologin
 USER gazette