fix app docker again! (#3427)

containers/app/Dockerfile

@@ -56,7 +56,7 @@ RUN useradd -l -m -u $OPENDEVIN_USER_ID -s /bin/bash opendevin && \
     usermod -aG app opendevin && \
     usermod -aG sudo opendevin && \
     echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
-RUN chown -R opendevin:app /app && chmod -R 2770 /app
+RUN chown -R opendevin:app /app && chmod -R 770 /app
 RUN sudo chown -R opendevin:app $WORKSPACE_BASE && sudo chmod -R 770 $WORKSPACE_BASE
 USER opendevin
 
@@ -75,7 +75,12 @@ COPY --chown=opendevin:app --chmod=770 ./poetry.lock ./poetry.lock
 COPY --chown=opendevin:app --chmod=770 ./README.md ./README.md
 COPY --chown=opendevin:app --chmod=770 ./MANIFEST.in ./MANIFEST.in
 
+# This is run as "opendevin" user, and will create __pycache__ with opendevin:opendevin ownership
 RUN python opendevin/core/download.py # No-op to download assets
+# Add this line to set group ownership of all files/directories not already in "app" group
+# opendevin:opendevin -> opendevin:app
+RUN find /app \! -group app -exec chgrp app {} +
+
 RUN chown -R opendevin:app /app/logs && chmod -R 770 /app/logs # This gets created by the download.py script
 
 COPY --chown=opendevin:app --chmod=770 --from=frontend-builder /app/dist ./frontend/dist

containers/app/entrypoint.sh

@@ -59,7 +59,6 @@ else
   fi
 
   usermod -aG $DOCKER_SOCKET_GID enduser
-  usermod -aG opendevin enduser
   echo "Running as enduser"
   su enduser /bin/bash -c "$*"
 fi