Operations 7 min read

From 777 to Least‑Privilege: Securely Deploying Spring Boot with Docker

This article explains why using 777 permissions on production servers is dangerous when deploying a Spring Boot Docker service, and provides step‑by‑step guidance on applying minimal permissions, creating dedicated users, and automating secure deployments with Docker, CI/CD, and Kubernetes.

Selected Java Interview Questions

May 21, 2025

From 777 to Least‑Privilege: Securely Deploying Spring Boot with Docker

In this article we discuss the pitfalls of using overly permissive 777 permissions when an intern deploys a Spring Boot application in Docker on a production server, and we propose a step‑by‑step approach to apply least‑privilege permissions.

Simple approach: set everything to 777

Running chmod -R 777 /app makes all files readable, writable and executable, which can break SSH and other system services.

Problems with the simple method

Security broken : anyone can modify files.

System damage : recursive -R changes affect critical system files.

Unnecessary : a Spring Boot container does not need such broad rights.

First improvement: minimal permissions

Create a dedicated user (e.g., dev) and give the application directory proper ownership:

mkdir /app
chown dev:dev /app
chmod 700 /app

Write a Dockerfile and build the image:

FROM openjdk:17
COPY target/myapp.jar /app/myapp.jar
WORKDIR /app
CMD ["java","-jar","myapp.jar"]

Build and run the container (note that Docker commands require root or sudo):

docker build -t my-springboot-app .
sudo docker run -d -p 8080:8080 -v /app:/app my-springboot-app

Further optimization: production‑grade setup

Create a service user springuser, assign the /app directory to it, add the user to the docker group, and run Docker without sudo:

sudo useradd -m springuser
sudo passwd springuser
sudo mkdir /app
sudo chown springuser:springuser /app
sudo chmod 750 /app
sudo usermod -aG docker springuser

In Kubernetes, define a Deployment with a securityContext that runs the container as a non‑root user:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: springboot-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: springboot
  template:
    metadata:
      labels:
        app: springboot
    spec:
      securityContext:
        runAsUser: 1000
      containers:
      - name: app
        image: my-springboot-app
        ports:
        - containerPort: 8080

The article concludes with best‑practice recommendations: avoid 777, use precise modes like 750 or 550, employ dedicated service accounts, add users to the Docker group, and automate deployments with CI/CD, Docker Compose, or Kubernetes.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

Docker Kubernetes Linux Spring Boot Permissions

Written by

Selected Java Interview Questions

A professional Java tech channel sharing common knowledge to help developers fill gaps. Follow us!

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.