Description
Summary
Client-side socket path security checks can (and most likely will) fail if client is running in a Docker container.
Repro
On any Linux system, create a secure deployment of Parsec according to these documented steps.
Use the following numeric UIDs and GIDs (or else change the examples used in this repro recipe for different values)
2000 for the parsec user
3000 for the parsec-clients group
2001 for the parsec-client-1 example client user
Start the Parsec service as the parsec user.
Clone and build the parsec-tool. Use cargo build to build the default set of features. This will include the rust client with the socket folder permission checks.
Install Docker.
Change directory to where parsec-tool is checked out.
Create a Dockerfile with the following contents:
FROM debian
ADD target/debug/* /
CMD ["/parsec-tool", "ping"]
From the same directory run docker build --tag parsec-ping .
A docker image should be created. Run the image as follows:
docker run -v /run/parsec:/run/parsec -u 2001:3000 parsec-ping
EXPECTED: The docker container should execute the parsec-tool ping command running as user 2001 in group 3000 (which is parsec-client-1 in group parsec-clients). The output should be a successful ping of the service, reporting the supported wire protocol version.
OBSERVED: The container image runs, but the ping fails with an error saying Socket permission checks failed.
Root Cause
The issue is caused by the rust client checking the folder permissions by name and group name rather than by uid and gid respectively. The parsec and parsec-clients names are known to the host, but not known within the container, hence the permission checks fail.
Required Fix
We either need to relax the restrictions on the socket folder, or do the checks based on numeric ids rather than names. For the latter, we would need to document well-known numeric IDs for the parsec user and parsec-clients group.