Summary
Client-side socket path security checks can (and most likely will) fail if client is running in a Docker container.
Repro
On any Linux system, create a secure deployment of Parsec according to these documented steps.
Use the following numeric UIDs and GIDs (or else change the examples used in this repro recipe for different values)
2000
for the parsec
user
3000
for the parsec-clients
group
2001
for the parsec-client-1
example client user
Start the Parsec service as the parsec
user.
Clone and build the parsec-tool. Use cargo build
to build the default set of features. This will include the rust client with the socket folder permission checks.
Install Docker.
Change directory to where parsec-tool
is checked out.
Create a Dockerfile
with the following contents:
FROM debian
ADD target/debug/* /
CMD ["/parsec-tool", "ping"]
From the same directory run docker build --tag parsec-ping .
A docker image should be created. Run the image as follows:
docker run -v /run/parsec:/run/parsec -u 2001:3000 parsec-ping
EXPECTED: The docker container should execute the parsec-tool ping
command running as user 2001
in group 3000
(which is parsec-client-1
in group parsec-clients
). The output should be a successful ping of the service, reporting the supported wire protocol version.
OBSERVED: The container image runs, but the ping fails with an error saying Socket permission checks failed.
Root Cause
The issue is caused by the rust client checking the folder permissions by name and group name rather than by uid and gid respectively. The parsec
and parsec-clients
names are known to the host, but not known within the container, hence the permission checks fail.
Required Fix
We either need to relax the restrictions on the socket folder, or do the checks based on numeric ids rather than names. For the latter, we would need to document well-known numeric IDs for the parsec
user and parsec-clients
group.