From b108b4be0662d3d4bad4bd038756184841d4fd11 Mon Sep 17 00:00:00 2001
From: Andre Henn <henn@terrestris.de>
Date: Tue, 12 Dec 2023 14:28:16 +0100
Subject: [PATCH] introduce geoserver user as docker user

---
 Dockerfile | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 31a6fed..8a91cb1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -136,7 +136,17 @@ RUN cd $CATALINA_HOME/lib \
 
 # copy scripts
 COPY *.sh /opt/
-RUN chmod +x /opt/*.sh
+# GeoServer user => restrict access to $CATALINA_HOME and GeoServer directories
+# See also CIS Docker benchmark and docker best practices
+RUN chmod +x /opt/*.sh \
+    && groupadd geoserver  \
+    && useradd --no-log-init -r -g geoserver geoserver \
+    && chown -R geoserver:geoserver $CATALINA_HOME \
+    && chmod g-w,o-rwx $CATALINA_HOME \
+    && chown -R geoserver:geoserver $GEOSERVER_DATA_DIR \
+    && chown -R geoserver:geoserver $GEOSERVER_LIB_DIR
+
+USER geoserver
 
 ENTRYPOINT ["/opt/startup.sh"]