Original Post: Surprising subtleties of Docker permissions
The analysis platform fundamentally relies on an entity called an analyzer, with each analyzer being encapsulated within its own Docker image due to the diversity of languages and libraries in static analysis. Analyzers receive their inputs from the /analysis/inputs folder, and after completion, their outputs are retrieved from the /analysis/output folder. While the platform typically uses bind mounts to share directories during execution, it resorts to docker cp in CI environments on Circle due to remote Docker daemon constraints.
Initially, this setup functioned well, but issues arose with filesystem permissions when the platform was run on Linux hosts. The document then delves into POSIX filesystem permissions, explaining their access control model across various operating systems like macOS, BSD, and Linux. It highlights the concepts of user ID and group ID, and how permissions for reading, writing, and executing files are managed for file owners, group users, and others.
Go here to read the Original Post