permission denied on sharing unix domain sockets with different user

[msays2000]

Mother host process running as user A. Plugin process running with sudo i.e root.

Plugin creates a unix domain socket at /tmp/plugin226668393 but mother host is unable to connect.

rpc error: code = Unavailable desc = connection error: desc = "transport: error while dialing: dial unix /tmp/plugin226668393: connect: permission denied"

Possible solutions:

Shared directory

• Provide options to create socket in a common shareable location (/var/go-plugin). Something like under /var/go-plugin/pluginxxxxxxx Reference: https://github.com/hashicorp/go-plugin/blob/master/server.go#L547-L574 Tutorial: https://medium.com/@aeronanubhav/sharing-unix-domain-sockets-with-multiple-users-4c7b4d439c39

Use tcp instead in linux

• Provide options to use tcp instead of unix domain socket in linux. https://github.com/hashicorp/go-plugin/blob/master/server.go#L497-L503

[tomhjp]

This will be because the plugin's UDS listener is owned by root with 0o600 permissions. The library recently got a new ClientConfig.UnixSocketConfig option which offers a solution to this situation. You can set Group to any group that user A is in, and it will change the group owner of the socket to that group, and set the permissions on the socket to 0o660 so that user A gets rw permission to the socket via its group membership.

Note that the plugin's group membership (and whether it's root or not) doesn't matter because it retains rw permission through the user owner and permission bits, just like it did previously.