From 4dd778ecdbaf8c896599490d006e71650232951e Mon Sep 17 00:00:00 2001
From: Jean Pommier <jean.pommier@pi-geosolutions.fr>
Date: Tue, 24 Sep 2024 15:51:54 +0200
Subject: [PATCH] Run tomcat as non-root user

Based on PR #442
Updated according to suggestions from @edevosc2c on PR #612
---
 Dockerfile | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 7db7ddf4d..c471d4861 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,12 +19,20 @@ RUN if [ "$TOMCAT_EXTRAS" = false ]; then \
       find "${CATALINA_BASE}/webapps/" -delete; \
     fi
 
+# Create a non-privileged tomcat user
+ARG USER_GID=999
+ARG USER_UID=999
+RUN addgroup --gid ${USER_GID} tomcat && \
+    adduser --system  -u ${USER_UID} --gid ${USER_GID} --no-create-home tomcat && \
+    chown -R tomcat:tomcat ${CATALINA_BASE}/ && \
+    chown tomcat:tomcat /docker-entrypoint.d
+
 # Add application from first stage
-COPY --from=extractwar /tmp/mapstore "${CATALINA_BASE}/webapps/mapstore"
-COPY georchestra-docker-scripts/ /
+COPY --chown=tomcat:tomcat --from=extractwar /tmp/mapstore "${CATALINA_BASE}/webapps/mapstore"
+COPY --chown=tomcat:tomcat georchestra-docker-scripts/ /
 # SHould be override in 2024.xx when a server.xml on 8080 will be available
-COPY docker/server.xml "${CATALINA_BASE}/conf/"
-
+COPY --chown=tomcat:tomcat docker/server.xml "${CATALINA_BASE}/conf/"
+USER tomcat
 
 # Geostore externalization template. Disabled by default
 # COPY docker/geostore-datasource-ovr.properties "${CATALINA_BASE}/conf/"
@@ -38,4 +46,5 @@ ENV TERM xterm
 # Necessary to execute tomcat and custom scripts
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["catalina.sh", "run"]
+
 EXPOSE 8080