BestHub
Sign in
Operations 7 min read

From 777 to Least‑Privilege: Securely Deploying Spring Boot with Docker

This article explains why using 777 permissions on production servers is dangerous when deploying a Spring Boot Docker service, and provides step‑by‑step guidance on applying minimal permissions, creating dedicated users, and automating secure deployments with Docker, CI/CD, and Kubernetes.

Selected Java Interview Questions
Selected Java Interview Questions
Selected Java Interview Questions
From 777 to Least‑Privilege: Securely Deploying Spring Boot with Docker

In this article we discuss the pitfalls of using overly permissive 777 permissions when an intern deploys a Spring Boot application in Docker on a production server, and we propose a step‑by‑step approach to apply least‑privilege permissions.

Simple approach: set everything to 777

Running chmod -R 777 /app makes all files readable, writable and executable, which can break SSH and other system services.

Problems with the simple method

Security broken : anyone can modify files.

System damage : recursive -R changes affect critical system files.

Unnecessary : a Spring Boot container does not need such broad rights.

First improvement: minimal permissions

Create a dedicated user (e.g., dev ) and give the application directory proper ownership:

mkdir /app
chown dev:dev /app
chmod 700 /app

Write a Dockerfile and build the image:

FROM openjdk:17
COPY target/myapp.jar /app/myapp.jar
WORKDIR /app
CMD ["java","-jar","myapp.jar"]

Build and run the container (note that Docker commands require root or sudo):

docker build -t my-springboot-app .
sudo docker run -d -p 8080:8080 -v /app:/app my-springboot-app

Further optimization: production‑grade setup

Create a service user springuser , assign the /app directory to it, add the user to the docker group, and run Docker without sudo:

sudo useradd -m springuser
sudo passwd springuser
sudo mkdir /app
sudo chown springuser:springuser /app
sudo chmod 750 /app
sudo usermod -aG docker springuser

In Kubernetes, define a Deployment with a securityContext that runs the container as a non‑root user:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: springboot-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: springboot
  template:
    metadata:
      labels:
        app: springboot
    spec:
      securityContext:
        runAsUser: 1000
      containers:
      - name: app
        image: my-springboot-app
        ports:
        - containerPort: 8080

The article concludes with best‑practice recommendations: avoid 777, use precise modes like 750 or 550, employ dedicated service accounts, add users to the Docker group, and automate deployments with CI/CD, Docker Compose, or Kubernetes.

Dockerci/cdKubernetesLinuxSpring BootPermissions
Selected Java Interview Questions
Written by

Selected Java Interview Questions

A professional Java tech channel sharing common knowledge to help developers fill gaps. Follow us!

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment