Paved with good intentions: The story of fix-buildkite-agent-builds-permissions

The text describes an issue with file permissions in a Docker container used for running jobs. A Bash script was initially created to fix the file permissions, but it had security vulnerabilities due to potential manipulation of symlinks by attackers. The solution involved using syscalls like openat2 and fchownat to ensure that the path given to chown is a subpath of a trusted directory while preventing any symlinks. This approach effectively creates a tiny per-open-call chroot jail, ensuring security in file permission management within Docker containers.