embuilder in 4.0.13 Docker image is executable only by user emscripten

[MarkCallow]

breaking GitHub Actions' workflow builds. These builds were working with the 4.0.12 Docker image.

Here is the output from ls -l run in Docker.

-rwxr--r-- 1 emscripten emscripten 1008 Aug 14 19:24 /emsdk/upstream/emscripten/embuilder

Why is this a problem?

When using the docker image in a GHA workflow and you start Docker with

docker run -dit --name emscripten -v $(pwd):/src emscripten/emsdk bash

/src ends up being owned by the uid/gid of the user that launched the workflow and commands are executed by that same user who cannot execute embuilder: Permission denied.*

Note that if you use the same command on you local machine /src is owned by and commands are run by root so no problem.

---

* On GitHub you actually need to use the command

docker run -dit --name emscripten --user "$(id -u):$(id -g)" -v $(pwd):/src emscripten/emsdk bash

to run docker so the user becomes the user who owns the repo in the workflow because of a security fix in Git that disallows Git commands not run by the repo owner.

[MarkCallow]

I need to clarify the above, some of which was based on my interpretation of some old comments in our code.

1. The regression breaks any build that passes --user <some user> when starting the Docker container, local or in CI.
2. In a GitHub Actions' build on a Linux runner the source files mounted in Docker (/src in the command I showed) are owned by the user running the workflow, typically 1001, while all commands are run by root (0)! For the following reasons setting --user is desirable:
   • git commands fail with `fatal: detected dubious ownership in repository at '/src'. This is due to a fix for CVE-2022-24765.
   • All products of the build are owned by root back in the host filesystem!

NOTE: I have found Docker running on my local macOS is different. In that, the mounted source files are owned by root so git commands work and the build products back in the host filesystem are owned by the user who started the Docker container.

[sbc100]

Presumably this effects not just embuilder but all the compiler entry point (e.g. emcc, em++, etc).

[sbc100]

Do you have any idea what caused this? If you have a suggested fix could you send a PR for it?

[MarkCallow]

Presumably this effects not just embuilder but all the compiler entry point (e.g. emcc, em++, etc).

It affects all of the extension-less files in /emsdk/upstream/emscripten/ except emcc.

Do you have any idea what caused this? If you have a suggested fix could you send a PR for it?

None. I have not been paying attention to changes. My CI just suddenly stopped working.

[MarkCallow]

It affects all of the extension-less files in /emsdk/upstream/emscripten/ except emcc.

I just checked 4.0.12. In there all these files have mode 755.

[sbc100]

Yes it looks like the permissions for the launchers scripts did change between 4.0.12 and 4.0.13:

$ tar tvf wasm-binaries.tar.xz install/emscripten/embuilder
-rwxr-xr-x chrome-bot/chrome-bot 975 2025-08-01 08:13 install/emscripten/embuilder
$ tar tvf wasm-binaries.tar.xz.1 install/emscripten/embuilder
-rwxr--r-- chrome-bot/chrome-bot 1008 2025-08-14 12:24 install/emscripten/embuilder