Run tomcat as non-root user

georchestra · Mar 28, 2023 · bb9cf90 · bb9cf90
1 parent 98f4749
commit bb9cf90
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -11,8 +11,13 @@ RUN if [ "$TOMCAT_EXTRAS" = false ]; then \
       find "${CATALINA_BASE}/webapps/" -delete; \
     fi
 
+# Create a non-privileged tomcat user
+RUN addgroup --gid 999 tomcat && \
+    adduser --system  -u 999 --gid 999 --no-create-home tomcat && \
+    chown -R 999:999 /usr/local/tomcat
+
 # Add war files to be deployed
-COPY docker/*.war "${CATALINA_BASE}/webapps/mapstore.war"
+COPY --chown=999:999 docker/*.war "${CATALINA_BASE}/webapps/mapstore.war"
 
 # Geostore externalization template. Disabled by default
 # COPY docker/geostore-datasource-ovr.properties "${CATALINA_BASE}/conf/"
@@ -23,4 +28,6 @@ ENV JAVA_OPTS="${JAVA_OPTS} ${GEORCHESTRA_DATADIR_OPT}"
 # Set variable to better handle terminal commands
 ENV TERM xterm
 
+USER tomcat
+
 EXPOSE 8080