Wrong group permission check

[jclab-joseph]

Description

It seems that docker:23.0.1-dind is doing an incorrect permission check.

Reproduce

Dockerfile:

FROM alpine:3.17

RUN apk add bash shadow abuild sudo

RUN mkdir -p /work && \
    useradd -s /bin/bash -m builder && \
    usermod -a -G abuild builder && \
    echo "%builder ALL=(ALL:ALL) NOPASSWD: ALL" | tee /etc/sudoers.d/builder

USER builder
RUN id && \
    ls -al /var/cache/distfiles/ && \
    touch /var/cache/distfiles/test

Build Result:

> [4/4] RUN id &&     ls -al /var/cache/distfiles/ &&     touch /var/cache/distfiles/test:                                                                                                                        
#0 1.406 uid=1000(builder) gid=1000(builder) groups=300(abuild)                                                                                                                                                    
#0 1.417 total 12                                                                                                                                                                                                  
#0 1.420 drwxrwxr-x    2 root     abuild        4096 Mar 10 02:26 .
#0 1.420 drwxr-xr-x    1 root     root          4096 Mar 10 02:26 ..
#0 1.433 touch: /var/cache/distfiles/test: Permission denied
------
Dockerfile:11
--------------------
  10 |     USER builder
  11 | >>> RUN id && \
  12 | >>>     ls -al /var/cache/distfiles/ && \
  13 | >>>     touch /var/cache/distfiles/test
  14 |     
--------------------

Expected behavior

On 20.10.12 (no dind) it works fine.

docker version

Client:
 Version:           23.0.1
 API version:       1.42
 Go version:        go1.19.5
 Git commit:        a5ee5b1
 Built:             Thu Feb  9 19:45:43 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.1
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       bc3805a
  Built:            Thu Feb  9 19:48:50 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.6.16
  GitCommit:        31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.16.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 23.0.1
 Storage Driver: overlay2
  Backing Filesystem: fuse
  Supports d_type: true
  Using metacopy: true
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 5.19.2
 Operating System: Alpine Linux v3.17 (containerized)
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 5.946GiB
 Name: dockerd-747d498f5b-677bx
 ID: 65ae90e6-b73a-48b7-a822-895a88f85ecd
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 30
  Goroutines: 42
  System Time: 2023-03-10T02:31:05.336963758Z
  EventsListeners: 0
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Additional Info

No response

[jclab-joseph]

same at 23.0.3.