# docker version|grep Version
Version: 18.03.1-ce
Version: 18.03.1-ce
# cat Dockerfile
FROM alpine
RUN addgroup service && adduser -S service -G service
COPY --chown=root:root debug.sh /opt/debug.sh
RUN chmod 544 /opt/debug.sh
USER service
ENTRYPOINT ["/opt/debug.sh"]
# cat debug.sh
#!/bin/sh
ls -l /opt/debug.sh
whoami
# docker build -t foobar:latest .; docker run foobar
Sending build context to Docker daemon 5.12kB
[...]
Sucessfully built 41c8b99a6371
Successfully tagged foobar:latest
-r-xr--r-- 1 root root 37 Nov 14 22:42 /opt/debug.sh
service
# docker version|grep Version
Version: 18.09.0
Version: 18.09.0
# docker run foobar
standard_init_linux.go:190: exec user process caused "permission denied"
That changed with 18.06 and just uncovered some issues. I was, well let's say "surprised", that this ever worked at all. Other sets of perms like 0700 or 644 already failed with different error message on docker 18.03.1.