diff --git a/Dockerfile b/Dockerfile
index 31a6fed..8a91cb1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -136,7 +136,17 @@ RUN cd $CATALINA_HOME/lib \
 
 # copy scripts
 COPY *.sh /opt/
-RUN chmod +x /opt/*.sh
+# GeoServer user => restrict access to $CATALINA_HOME and GeoServer directories
+# See also CIS Docker benchmark and docker best practices
+RUN chmod +x /opt/*.sh \
+    && groupadd geoserver  \
+    && useradd --no-log-init -r -g geoserver geoserver \
+    && chown -R geoserver:geoserver $CATALINA_HOME \
+    && chmod g-w,o-rwx $CATALINA_HOME \
+    && chown -R geoserver:geoserver $GEOSERVER_DATA_DIR \
+    && chown -R geoserver:geoserver $GEOSERVER_LIB_DIR
+
+USER geoserver
 
 ENTRYPOINT ["/opt/startup.sh"]