@witty-crayon-22786 I happened to notice https://github.com/pantsbuild/pants/pull/18327 (well, you happened to mention me 😄) - are you aware of docker user namespaces? I've seen this used in CI environments - tl;dr is: In your docker container, you run things as root (user 0), but you use user remapping so that the in-container root user is your out-of-container executing user - it's a really handy way of avoiding permissions errors e.g. requiring sudo to clean-up stuff that happened in the container - as long as everything in the container runs as a predictable user (doesn't have to be root, but often is), you end up with exactly-as-you-want out-of-container permissions

This seems like exactly what we want!

i was not aware! thank you 😃 the tricky bit will be the:

as long as everything in the container runs as a predictable user (doesn’t have to be root, but often is)

aspect… but i expect that all solutions to https://github.com/pantsbuild/pants/issues/18329 seem like they will involve at least a little bit of user awareness

I wonder if you could also inspect the docker container for the effective USER at the end and use that as the target for remapping.