Permission issue on /usr/local/libexec prevents using plugins from /usr/libexec

[mihalyr]

Description

I think there is a bug in how docker cli resolves the plugin paths. Described also in https://discussion.fedoraproject.org/t/docker-plugins-on-f41-not-working/138199/9

Given a directory /usr/libexec/docker/cli-plugins with correct permissions (root:root 755) and a plugin /usr/libexec/docker/cli-plugins/docker-buildx, if we create a directory /usr/local/libexec with permissions (root:root 750), running docker build fails as it won't find buildx.

I suspect that as docker-cli checks for plugins in the directories in the precedence order, if any of the directories is not accessible, the plugin search fails and directories specified later in the precedence order will not be checked and thus plugins in other folder won't be found.

The workaround is easy to just fix the permissions, so not a big problem. But I would expect docker-cli to skip such directory as it does with non-existent directories.

Reproduce

1. Given docker plugin /usr/libexec/docker/cli-plugins/docker-buildx
2. Remove non-root access from a higher precedence plugin folder chmod 750 /usr/local/libexec
3. Try to run the plugin via docker-cli docker buildx
4. It fails with docker: 'buildx' is not a docker command.

Expected behavior

docker buildx works, because the plugin under /usr/libexec/docker/cli-plugins is still accessible.

docker version

Client:
 Version:           27.3.1
 API version:       1.41 (downgraded from 1.47)
 Go version:        go1.23.1
 Git commit:        2.fc41
 Built:             Tue Sep 24 00:00:00 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: linux/amd64/fedora-41
 Podman Engine:
  Version:          5.2.5
  APIVersion:       5.2.5
  Arch:             amd64
  BuildTime:        2024-10-18T02:00:00+02:00
  Experimental:     false
  GitCommit:        
  GoVersion:        go1.23.2
  KernelVersion:    6.11.8-300.fc41.x86_64
  MinAPIVersion:    4.0.0
  Os:               linux
 Conmon:
  Version:          conmon version 2.1.12, commit: 
  Package:          conmon-2.1.12-3.fc41.x86_64
 OCI Runtime (crun):
  Version:          crun version 1.18.1
commit: c41f034fdbb9742c395085fc98459c94ad1f9aae
rundir: /run/user/3000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  Package:          crun-1.18.1-1.fc41.x86_64
 Engine:
  Version:          5.2.5
  API version:      1.41 (minimum version 1.24)
  Go version:       go1.23.2
  Git commit:       
  Built:            Fri Oct 18 02:00:00 2024
  OS/Arch:          linux/amd64
  Experimental:     false

docker info

➜  ~ docker info
Client:
 Version:    27.3.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.18.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.23.1
    Path:     /usr/local/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 4
  Running: 2
  Paused: 0
  Stopped: 2
 Images: 20
 Server Version: 5.2.5
 Storage Driver: overlay
  Backing Filesystem: btrfs
  Supports d_type: true
  Native Overlay Diff: true
  Using metacopy: false
  Supports shifting: false
  Supports volatile: true
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge macvlan ipvlan
  Log: k8s-file none passthrough journald
 Swarm: inactive
 Runtimes: crun crun-vm kata ocijail youki crun-wasm krun runc runj runsc
 Default Runtime: crun
 Init Binary: 
 containerd version: 
 runc version: 
 init version: 
 Security Options:
  seccomp
   Profile: default
  rootless
  selinux
 Kernel Version: 6.11.8-300.fc41.x86_64
 Operating System: fedora
 OSType: linux
 Architecture: amd64
 CPUs: 12
 Total Memory: 31.19GiB
 Name: eli
 ID: 09ac0646-46a4-4440-950a-65af1d419340
 Docker Root Dir: /var/home/mihalyr/.local/share/containers/storage
 Debug Mode: false
 Experimental: true
 Live Restore Enabled: false
 Product License: Apache-2.0

Additional Info

No response