[BUG] Assign correct groups to Consul user

[lukas9393]

I have planned to restart the container with a "Watches" after every change of the values.

Therefore I added a "Watches" to the Consul client with a shell script.
This script executes a docker restart command.
I loaded the docker.sock with a volume bind into the container and extended the consul client with a docker group with the same GID as the host system.

Unfortunately the consul process could not execute the script successfully, the output was the following:

ERROR: Got permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock: Get
http://%2Fvar%2Frun%2Fdocker.sock/v1.40/info: dial unix /var/run/docker.sock:
connect: permission denied

After that, the user consul could execute Docker itself and I verified it with the following command:

➜ docker exec -u 100 -it consul sh
/ $ whoami
consul
/ $ docker info | head
Client:
 Debug Mode: false

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 1875
 Server Version: 18.09.2

I was able to rule out an error at the docker setting. The user can obviously interact with Docker.
After a short investigation I found the following command: set -- su-exec consul:consul "$@".
https://github.com/hashicorp/docker-consul/blob/master/0.X/docker-entrypoint.sh#L95

This command starts the client as Consul user.

If consul is started in this way, the process will only run with uid and gid from consul, any other groups, the user consul is in, will be ignored.

~/
➜ docker run -d --name consul consul >/dev/null

~/
➜ docker exec -it consul sh
/ # whoami
root
/ # apk --no-cache add shadow >/dev/null
/ # groupadd docker -g 998
/ # usermod -a -G docker consul
/ # su-exec consul:consul /usr/bin/id
uid=100(consul) gid=1000(consul) groups=1000(consul)
/ # exit

~/
➜ docker exec -u 100 -it consul sh
/ $ whoami
consul
/ $ /usr/bin/id
uid=100(consul) gid=1000(consul) groups=998(docker),1000(consul)

With this issue I want to suggest the following

• remove the explicit name of the consul group, and su-exec adds all consul groups to the process.

~/
➜ docker exec -it consul sh
/ # whoami
root
/ # su-exec consul /usr/bin/id
uid=100(consul) gid=1000(consul) groups=998(docker),1000(consul),1000(consul)

What exactly happens then can be understood in this line:
https://github.com/ncopa/su-exec/blob/master/su-exec.c#L82

My current solution is to add the following command to my image:

RUN sed -i '/    set -- su-exec consul:consul "$@"/c\    set -- su-exec consul "$@"' /usr/local/bin/docker-entrypoint.sh

But as far as I can see, there isn’t any issue by starting the process with with associated groups.
If the user of the image adds the user consul to groups, then it cannot be considered as a security mechanism to remove all groups (while running the process).