docs-lint job doesn't always find images with 755 permissions
As part of the docs lint job, we check the images' permissions https://gitlab.com/gitlab-org/gitlab-ce/blob/51119395e668d592d69266cf74dcb67b667082a8/scripts/lint-doc.sh#L26-34.
As seen in https://gitlab.com/gitlab-org/gitlab-ce/-/jobs/193243253, docs lint
passed even though there were images with 755 bits:
$ git checkout 4f5b1341f952a04a80e855aaac540ce6ecb09b45
$ find doc/ app/ -type f -perm 755
doc//ci/introduction/img/job_running.png
doc//ci/introduction/img/rollback.png
doc//ci/introduction/img/pipeline_status.png
doc//ci/variables/img/override_variable_manual_pipeline.png
doc//ci/variables/img/new_custom_variable_example.png
doc//ci/variables/img/ci_job_stage_output_example.png
doc//ci/variables/img/override_value_via_manual_pipeline_output.png
doc//ci/variables/img/custom_variable_output.png
Out of nowhere, https://gitlab.com/gitlab-org/gitlab-ce/-/jobs/194484356 started failing.
I've seen this happen before, but I'm not quite sure why yet.
Why
In slack https://gitlab.slack.com/archives/C0SFP840G/p1554977331265900, Tomasz pointed https://gitlab.com/gitlab-org/gitlab-runner/blob/master/dockerfiles/build/scripts/gitlab-runner-build#L2.
In short: you may use any Docker image for your job script. This image can be configured to use any user the author of the image wanted (UID). But code, cache, artifacts are being downloaded in the helper image that Runner owns. It is possible that the image you'll use will use a different UID than the one that helper image is using.
So the helper image is setting the
umask 0000
before downloading any files. So it will bewritable by anyone
and the script in your Docker image, that may use a specific user, will still be able to access the files.