11.2.1.1 Runtime App User

A runtime app user is the specific, dedicated non-root user account an application's container actually runs as, deliberately created and configured for that particular application rather than relying on a generic or shared user identity.

Creating a Dedicated User for the Application

A Dockerfile explicitly creates a user and group specifically intended for running this particular application.

FROM python:3.12-slim
RUN groupadd -r appgroup && useradd -r -g appgroup appuser
COPY . /app
USER appuser
CMD ["python", "/app/main.py"]

This appuser exists specifically for running this application, distinct from any other purpose.

Why a Dedicated User Is Preferable to a Generic One

A dedicated, application-specific user makes the intent of this configuration clear and avoids any ambiguity about what this particular user account is for, compared to reusing some generic, broadly shared identity.

USER appuser

Ensuring File Ownership Matches the Runtime User

Application files should be owned appropriately for this runtime user to actually access them without unnecessary permission issues.

COPY --chown=appuser:appgroup . /app
USER appuser

Using --chown directly in the COPY instruction ensures the application's files are owned by the user that will actually need to read (and potentially write) them at runtime.

Avoiding Granting This User Unnecessary Privileges

The dedicated application user should be granted only the specific filesystem and capability access it actually needs, not broader privileges that aren't genuinely required for the application to function.

RUN chmod 750 /app/sensitive-config

Why a Runtime App User Matters

Creating and using a dedicated, appropriately scoped user specifically for running a given application reflects a deliberate, security-conscious configuration choice, providing clarity about the runtime identity's purpose and limiting that identity's privileges to what the application genuinely requires.