Permissions are rwxrwxr-x which mean rwx for owner ("read-write-execute"), rwx for group, r-x for others.
For directories, "read" flag (r) means "get a directory listing", "write" (w) means "create/delete/rename objects" in that directory, and "execute" (x) is "enter" (cd) into that directory.
Changes (w) are permitted only for owner or owner-group. You're docker and you aren't the owner which is www-data. Likely docker doesn't belong to the www-data group, so you are one of those "others", who are not permitted to write.
This could be solved:
- by using POSIX ACL to add permissions specifically for the
docker user or group it belongs to;
- by adding
docker into www-data group;
- by changing permissions to be world-writable.
Options are presented in the order of decreasing security (as opposed to increased ease of implementation). In addition, two lower options have a caveat: newly created objects will be owned by docker and now www-data won't have control over them; it could be it will not able to delete them or even read, that depends on what permissions objects are created with. It's messy and I suggest to not do that. I'd explain the POSIX ACL path:
setfacl -m user:docker:rwx /var/www/userdata02.example.com/html/public
setfacl -m default:user:docker:rwx /var/www/userdata02.example.com/html/public
setfacl -m default:user:www-data:rwx /var/www/userdata02.example.com/html/public
setfacl -m default:group:www-data:rwx /var/www/userdata02.example.com/html/public
Even in first case objects will be owned by creator (docker), but you can have a "default" ACL which will be applied to all new objects and nested to subdirectories, so you can force all new object to have full permissions for www-data. This is what three lower lines are for.
Or, you can create a special group for such object and instead of giving permissions to user:docker give them to group:that_group. Depending on what you are going to do in Docker, it might make your life easier later.
