Docker Community Forums

Share and learn in the Docker community.

Does /usr/local/bin/docker-entrypoint.sh have to be group write?

I wanted to implement a TPE kernel module in my system, but unfortunately some of the docker official containers, like mariadb, have issues with it.

Basically the problem is with the /usr/local/bin/docker-entrypoint.sh file permissions:

-rwxrwxr-x 1 root root    5816 Jan  8 23:47 /usr/local/bin/docker-entrypoint.sh

Is there any reason that the file has group write permission?

That might be a question for the package maintainers, but the use case I could see for Docker would be if you needed to map the socket file inside your container so it could “safely” access the daemon. It would be more secure that way than running the entry point as root. Have you tried getting rid of it (either “chmod g-s” or implementing your own entry point)? Anything in the scripts look like it requires root permissions?

I’m just using official images, and lots of them have the group write permission in this file. Guys from the mariadb told me they don’t change permissions in this file. So the only way to deal with the problem is to build my own images or to fix the issue upstream so the file doesn’t have to be group exec. So that’s why I’m asking.

I just realized I made a mistake. It’s not exec that causes the problem, but group write permission.