Oh yeah, that wasn’t very self-explanatory. Here is a simplified version:
su -s /bin/sh -c 'echo "test 1"; echo "test 2" >>/dev/stdout' www-data >/tmp/out
Here /tmp/out is a regular file which is only writable by root. The aim is to get the “inner” command (two echo’s) to run as user www-data with fd 1 open to /tmp/out. The outer command achieves this by calling su and redirecting output to /tmp/out.
The first echo succeeds (and the output is saved in /tmp/out) even though www-data doesn’t have write access to /tmp/out. The second echo seems to be equivalent (because /dev/stdout is normally equivalent to fd 1), but it fails because /dev/stdout is a symlink to /proc/self/fd/1 which is a symlink to /tmp/out and opening it triggers a permission check which fails.
In the su invocation, the option -s /bin/sh is required because the default shell of www-data is /usr/sbin/nologin.
Changing >>/dev/stdout to >/dev/stdout doesn’t make a difference.
The experimental section only has cmd and entrypoint (and exec), it doesn’t have user.