Run as a non-privileged user by default

1.2/Dockerfile

@@ -1,5 +1,7 @@
 FROM buildpack-deps:jessie
 
+RUN groupadd --gid 25000 app && useradd --uid 25000 --gid 25000 --create-home --shell /bin/bash app
+
 # gpg keys listed at https://github.com/iojs/io.js
 RUN gpg --keyserver pool.sks-keyservers.net --recv-keys 9554F04D7259F04124DE6B476D5A82AC7E37093B DD8F2338BAE7501E3DD5AC78C273792F7D83545D
 
@@ -12,4 +14,4 @@ RUN curl -SLO "https://iojs.org/dist/v$IOJS_VERSION/iojs-v$IOJS_VERSION-linux-x6
   && tar -xzf "iojs-v$IOJS_VERSION-linux-x64.tar.gz" -C /usr/local --strip-components=1 \
   && rm "iojs-v$IOJS_VERSION-linux-x64.tar.gz" SHASUMS256.txt.asc
 
-CMD [ "iojs" ]
+CMD [ "su", "-c", "iojs", "app" ]

1.2/onbuild/Dockerfile

@@ -7,4 +7,4 @@ ONBUILD COPY package.json /usr/src/app/
 ONBUILD RUN npm install
 ONBUILD COPY . /usr/src/app
 
-CMD [ "npm", "start" ]
+CMD [ "su", "-c", "npm start", "app" ]

1.2/slim/Dockerfile

@@ -1,5 +1,7 @@
 FROM buildpack-deps:jessie-curl
 
+RUN groupadd --gid 25000 app && useradd --uid 25000 --gid 25000 --create-home --shell /bin/bash app
+
 # gpg keys listed at https://github.com/iojs/io.js
 RUN gpg --keyserver pool.sks-keyservers.net --recv-keys 9554F04D7259F04124DE6B476D5A82AC7E37093B DD8F2338BAE7501E3DD5AC78C273792F7D83545D
 
@@ -12,4 +14,4 @@ RUN curl -SLO "https://iojs.org/dist/v$IOJS_VERSION/iojs-v$IOJS_VERSION-linux-x6
   && tar -xzf "iojs-v$IOJS_VERSION-linux-x64.tar.gz" -C /usr/local --strip-components=1 \
   && rm "iojs-v$IOJS_VERSION-linux-x64.tar.gz" SHASUMS256.txt.asc
 
-CMD [ "iojs" ]
+CMD [ "su", "-c", "iojs", "app" ]