Merge pull request #612 from pi-geosolutions/non-root-tomcat-user-master

jeanpommier · web-flow · commit 43cc019f057e · 2024-10-31T15:24:02.000+01:00
Run tomcat as non-root user
diff --git a/Dockerfile b/Dockerfile
@@ -19,12 +19,20 @@ RUN if [ "$TOMCAT_EXTRAS" = false ]; then \
       find "${CATALINA_BASE}/webapps/" -delete; \
     fi
 
+# Create a non-privileged tomcat user
+ARG USER_GID=999
+ARG USER_UID=999
+RUN addgroup --gid ${USER_GID} tomcat && \
+    adduser --system  -u ${USER_UID} --gid ${USER_GID} --no-create-home tomcat && \
+    chown -R tomcat:tomcat ${CATALINA_BASE}/ && \
+    chown tomcat:tomcat /docker-entrypoint.d
+
 # Add application from first stage
-COPY --from=extractwar /tmp/mapstore "${CATALINA_BASE}/webapps/mapstore"
-COPY georchestra-docker-scripts/ /
+COPY --chown=tomcat:tomcat --from=extractwar /tmp/mapstore "${CATALINA_BASE}/webapps/mapstore"
+COPY --chown=tomcat:tomcat georchestra-docker-scripts/ /
 # SHould be override in 2024.xx when a server.xml on 8080 will be available
-COPY docker/server.xml "${CATALINA_BASE}/conf/"
-
+COPY --chown=tomcat:tomcat docker/server.xml "${CATALINA_BASE}/conf/"
+USER tomcat
 
 # Geostore externalization template. Disabled by default
 # COPY docker/geostore-datasource-ovr.properties "${CATALINA_BASE}/conf/"
@@ -38,4 +46,5 @@ ENV TERM xterm
 # Necessary to execute tomcat and custom scripts
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["catalina.sh", "run"]
+
 EXPOSE 8080
