The Tomcat service should be executed with a non-root user

Security best practices indicate Tomcat should not be run as root. Even though we can mitigate dropping into a privileged shell within a container, the issue can be avoided through moderate effort.

The [Docker Official Image packaging for Postgres](https://github.com/docker-library/postgres) provides a good example, albeit for a different service.

## References

1. [Ghostcat bug impacts all Apache Tomcat versions released in the last 13 years](https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/)
1. [SELinux, Apache, and Tomcat – Tomcat – A Securely A Securely Implemented Web Application Server](https://owasp.org/www-pdf-archive/Secure_Web_App_Server_McRee_OWASP.pdf)
1. [Improving Apache Tomcat Security - A Step By Step Guide](https://www.mulesoft.com/tcat/tomcat-security)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The Tomcat service should be executed with a non-root user #38

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

The Tomcat service should be executed with a non-root user #38

Description

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions