@@ -30,6 +30,8 @@ RUN <<-EOT
3030 set -eux
3131 apt-get update
3232 apt-get install -y curl tar apt-transport-https ca-certificates gnupg
33+ groupadd --gid 1001 non-root-user
34+ useradd --uid 1001 --gid 1001 -m non-root-user
3335 apt-get clean
3436 rm -rf /var/lib/apt/lists/*
3537EOT
@@ -64,6 +66,9 @@ RUN <<-EOT
6466 /usr/lib/jvm/graalvm*/lib/installer
6567EOT
6668
69+ # Switch to non-root user during runtime for security
70+ USER non-root-user
71+
6772FROM scratch AS default-jdk
6873ARG LATEST_VERSION
6974
@@ -87,6 +92,8 @@ RUN <<-EOT
8792 apt-get update
8893 apt-get install -y curl tar apt-transport-https ca-certificates gnupg \
8994 socat less debian-goodies autossh ca-certificates-java python3-pip
95+ groupadd --gid 1001 non-root-user
96+ useradd --uid 1001 --gid 1001 -m non-root-user
9097 apt-get clean
9198 rm -rf /var/lib/apt/lists/*
9299 mkdir -p /usr/local/lib/docker/cli-plugins /usr/local/bin
@@ -126,6 +133,9 @@ RUN <<-EOT
126133 rm -rf /var/lib/apt/lists/*
127134EOT
128135
136+ # Switch to non-root user during runtime for security
137+ USER non-root-user
138+
129139# IBM specific env variables
130140ENV IBM_JAVA_OPTIONS="-XX:+UseContainerSupport"
131141
@@ -151,6 +161,9 @@ COPY --from=all-jdk /usr/lib/jvm/${VARIANT_LOWER} /usr/lib/jvm/${VARIANT_LOWER}
151161ENV JAVA_${VARIANT_UPPER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
152162ENV JAVA_${VARIANT_LOWER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
153163
164+ # Switch to non-root user during runtime for security
165+ USER non-root-user
166+
154167# Full image for debugging, contains all JDKs.
155168FROM base AS full
156169
@@ -166,6 +179,9 @@ COPY --from=all-jdk /usr/lib/jvm/ubuntu17 /usr/lib/jvm/ubuntu17
166179COPY --from=all-jdk /usr/lib/jvm/graalvm17 /usr/lib/jvm/graalvm17
167180COPY --from=all-jdk /usr/lib/jvm/graalvm21 /usr/lib/jvm/graalvm21
168181
182+ # Switch to non-root user during runtime for security
183+ USER non-root-user
184+
169185ENV JAVA_7_HOME=/usr/lib/jvm/7
170186
171187ENV JAVA_ZULU7_HOME=/usr/lib/jvm/7
0 commit comments