devcontainer/devcontainer.go calls fs.MkdirAll(featuresDir, 0o644) and fs.MkdirAll(featureDir, 0o644) when creating feature extraction directories. 0o644 is a file permission mask — directories need the execute bit (0o755) to be traversable by non-root users.
On the in-memory filesystem used in tests this is harmless, but on a real filesystem it could prevent non-root container users from accessing feature install scripts.
This pre-dates #500 (the feature ordering PR) — the same 0o644 was used in the original code.
Fix
Change both MkdirAll calls to use 0o755.
🤖 Written by a Coder Agent.
devcontainer/devcontainer.gocallsfs.MkdirAll(featuresDir, 0o644)andfs.MkdirAll(featureDir, 0o644)when creating feature extraction directories.0o644is a file permission mask — directories need the execute bit (0o755) to be traversable by non-root users.On the in-memory filesystem used in tests this is harmless, but on a real filesystem it could prevent non-root container users from accessing feature install scripts.
This pre-dates #500 (the feature ordering PR) — the same
0o644was used in the original code.Fix
Change both
MkdirAllcalls to use0o755.