Can you please sign your commits following these rules:

https://github.com/docker/docker/blob/master/CONTRIBUTING.md#sign-your-work

The easiest way to do this is to amend the last commit:

$ git clone -b "master" [email protected]:mitchcapper/docker.git somewhere
$ cd somewhere
$ git commit --amend -s --no-edit
$ git push -f

This will update the existing PR, so you do not need to open a new one.

Marking this with 1.6 because I think we should decide on this (one way or the other) prior to 1.6 going out.

ping @ahmetalpbalkan

Maybe the best solution is to set it to the softer 755 mask, and add a note to the documentation that ADD/COPY commands on windows will set permissions to 755 by default (due to no windows permission equiv) so that no one is surprised by this action. That insures existing Dockerfiles don't break (along with better similarities to building on linux) and lets users know that private data will need to be chmodded afterwards if they are running a container as root and dropping to another user (and don't want the dropped user to be able to access it). If you decide later on you can always make it more restrictive without much impact.

@mitchcapper #11397 is already adding a warning about current 0711 mask

@duglin maybe we can pull some Docker security engineers to the discussion at #11246? This has been initially discussed and folks were ok with removing r/w bits for others/group. This was not the main change we made in #11246 ; it was to add +x.

I'm definitely +1 for this proposal however normal Windows users mostly won't know chmod strings, what they mean and how to change them. If we can agree that we will be fine by just adding warning message (#11397) then I'm +1.

@mitchcapper windows tests are failing because you need to change the expected default file permission for windows in integration-cli package to -rwxr-xr-x now. :) please amend your existing commit and git push -f to your branch.

We are talking about a Windows user is building a linux container with modifications, and having that container start as root but drop to another user for security purposes (which is the use case where the more restrictive bits are useful). For this type of user I think them knowing chmod is not unreasonable (especially as if they had put that file onto the linux box by another method they would need to chmod it).

@mitchcapper I haven't run any containers as root nor heard my colleagues doing the same thing, but then I'm probably not a good docker user. :) You might be correct in the "people run containers with root" statement.

If you update this PR with the test fix, I think I can be +1, but I'm not a maintainer so you need to convince other folks as well. :)

I'm +1 on -rwxr-xr-x via Windows, FWIW. 👍

@mitchcapper please squash your commits into 1 and git push -f to your branch... I see 3 commits currently on the PR.

Also #11397 is merged so the warning shown assumes that this PR is merged.

hmm tests are still failing with the change. Apparently the files added are getting other mod than -rwxr-xr-x. That's weird. Can you build some stuff and see what permission they're getting with this change?

also fix the TestChmodTarEntry test in pkg\archive\archive_windows_test.go (you don't notice it's failing because package unit tests are currently not part of the windows CI suite). @mitchcapper

LGTM. Note to maintainers: please !rebuild once the CI issues are resolved. This should be passing now.

LGTM