Merge pull request #5953 from tiborvass/remove-chmod-755

remove chmod 755: fixes #5941

docs/sources/reference/builder.md

@@ -235,7 +235,9 @@ being built (also called the *context* of the build) or a remote file URL.
 `<dest>` is the absolute path to which the source will be copied inside the
 destination container.
 
-All new files and directories are created with mode 0755, uid and gid 0.
+All new files and directories are created with a uid and gid of 0.
+
+In the case where `<src>` is a remote file URL, the destination will have permissions 600.
 
 > **Note**:
 > If you build using STDIN (`docker build - < somefile`), there is no

integration-cli/build_tests/TestAdd/EtcToRoot/Dockerfile

@@ -0,0 +1,2 @@
+FROM scratch
+ADD . /

integration-cli/build_tests/TestAdd/SingleFileToRoot/Dockerfile

@@ -5,5 +5,5 @@ RUN touch /exists
 RUN chown dockerio.dockerio /exists
 ADD test_file /
 RUN [ $(ls -l /test_file | awk '{print $3":"$4}') = 'root:root' ]
-RUN [ $(ls -l /test_file | awk '{print $1}') = '-rwxr-xr-x' ]
+RUN [ $(ls -l /test_file | awk '{print $1}') = '-rw-r--r--' ]
 RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]

integration-cli/build_tests/TestAdd/WholeDirToRoot/Dockerfile

@@ -7,5 +7,5 @@ ADD test_dir /test_dir
 RUN [ $(ls -l / | grep test_dir | awk '{print $3":"$4}') = 'root:root' ]
 RUN [ $(ls -l / | grep test_dir | awk '{print $1}') = 'drwxr-xr-x' ]
 RUN [ $(ls -l /test_dir/test_file | awk '{print $3":"$4}') = 'root:root' ]
-RUN [ $(ls -l /test_dir/test_file | awk '{print $1}') = '-rwxr-xr-x' ]
+RUN [ $(ls -l /test_dir/test_file | awk '{print $1}') = '-rw-r--r--' ]
 RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]

integration-cli/docker_cli_build_test.go

@@ -57,8 +57,13 @@ func TestBuildSixtySteps(t *testing.T) {
 }
 
 func TestAddSingleFileToRoot(t *testing.T) {
-	buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd")
-	buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", "SingleFileToRoot")
+	buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd", "SingleFileToRoot")
+	f, err := os.OpenFile(filepath.Join(buildDirectory, "test_file"), os.O_CREATE, 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	f.Close()
+	buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", ".")
 	buildCmd.Dir = buildDirectory
 	out, exitCode, err := runCommandWithOutput(buildCmd)
 	errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out, err))
@@ -137,8 +142,17 @@ func TestAddDirContentToExistDir(t *testing.T) {
 }
 
 func TestAddWholeDirToRoot(t *testing.T) {
-	buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd")
-	buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", "WholeDirToRoot")
+	buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd", "WholeDirToRoot")
+	test_dir := filepath.Join(buildDirectory, "test_dir")
+	if err := os.MkdirAll(test_dir, 0755); err != nil {
+		t.Fatal(err)
+	}
+	f, err := os.OpenFile(filepath.Join(test_dir, "test_file"), os.O_CREATE, 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	f.Close()
+	buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", ".")
 	buildCmd.Dir = buildDirectory
 	out, exitCode, err := runCommandWithOutput(buildCmd)
 	errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out, err))
@@ -152,6 +166,21 @@ func TestAddWholeDirToRoot(t *testing.T) {
 	logDone("build - add whole directory to root")
 }
 
+func TestAddEtcToRoot(t *testing.T) {
+	buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestAdd")
+	buildCmd := exec.Command(dockerBinary, "build", "-t", "testaddimg", "EtcToRoot")
+	buildCmd.Dir = buildDirectory
+	out, exitCode, err := runCommandWithOutput(buildCmd)
+	errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out, err))
+
+	if err != nil || exitCode != 0 {
+		t.Fatal("failed to build the image")
+	}
+
+	deleteImages("testaddimg")
+	logDone("build - add etc directory to root")
+}
+
 // Issue #5270 - ensure we throw a better error than "unexpected EOF"
 // when we can't access files in the context.
 func TestBuildWithInaccessibleFilesInContext(t *testing.T) {
@@ -177,7 +206,7 @@ func TestBuildWithInaccessibleFilesInContext(t *testing.T) {
 
 		// check if we've detected the failure before we started building
 		if !strings.Contains(out, "no permission to read from ") {
-			t.Fatalf("output should've contained the string: no permission to read from ")
+			t.Fatalf("output should've contained the string: no permission to read from but contained: %s", out)
 		}
 
 		if !strings.Contains(out, "Error checking context is accessible") {

server/buildfile.go

@@ -438,9 +438,6 @@ func (b *buildFile) addContext(container *daemon.Container, orig, dest string, r
 			if err := os.Lchown(path, uid, gid); err != nil && !os.IsNotExist(err) {
 				return err
 			}
-			if err := os.Chmod(path, 0755); err != nil && !os.IsNotExist(err) {
-				return err
-			}
 			return nil
 		})
 	}