diff --git a/README.md b/README.md
index ec2e2d439..14bbf6046 100644
--- a/README.md
+++ b/README.md
@@ -196,6 +196,8 @@ For this container image, you can use these environment variables, **in addition
 | ENCRYPTED_ONLY | yes | if set to **"1"** unencrypted connection will not be accepted |
 | KEY_PUB | yes | public part of the key pair |
 | KEY_PRIV | yes | private part of the key pair |
+| PUID | yes | user ID that hbbr/hbbs will use (1000 by default) |
+| PGID | yes | group ID that hbbr/hbbs will use (1000 by default) |
 
 ### Secret management in S6-overlay based images
 
diff --git a/docker/Dockerfile b/docker/Dockerfile
index a8a2130a9..f0a25e70a 100755
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -14,6 +14,12 @@ COPY rootfs /
 
 ENV RELAY=relay.example.com
 ENV ENCRYPTED_ONLY=0
+ENV PGID=1000
+ENV PUID=1000
+
+RUN \
+  addgroup -g "${PGID}" rustdesk && \
+  adduser -D -h /data -u "${PUID}" -G rustdesk rustdesk
 
 EXPOSE 21115 21116 21116/udp 21117 21118 21119
 
@@ -23,4 +29,6 @@ WORKDIR /data
 
 VOLUME /data
 
+USER rustdesk
+
 ENTRYPOINT ["/init"]
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
index 23bc57dff..f29459fd0 100644
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
@@ -1 +1,2 @@
 key-secret
+set-user
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run
index c17d27b0e..caed28871 100755
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/run
@@ -1,5 +1,9 @@
 #!/command/with-contenv sh
-cd /data
+cd /data || return
 PARAMS=
 [ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _"
-/usr/bin/hbbr $PARAMS
+if [ "$(id -u)" -ne 0 ] ; then
+  /usr/bin/hbbr $PARAMS
+else
+  exec s6-setuidgid rustdesk /usr/bin/hbbr $PARAMS
+fi
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
index f72cf00c8..ed8bf53fb 100644
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
@@ -1,2 +1,3 @@
 key-secret
+set-user
 hbbr
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run
index 59e216313..0cf5846c1 100755
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/run
@@ -1,6 +1,10 @@
 #!/command/with-contenv sh
 sleep 2
-cd /data
+cd /data || return
 PARAMS=
 [ "${ENCRYPTED_ONLY}" = "1" ] && PARAMS="-k _"
-/usr/bin/hbbs -r $RELAY $PARAMS
+if [ "$(id -u)" -ne 0 ] ; then
+  /usr/bin/hbbs -r $RELAY $PARAMS
+else
+  exec s6-setuidgid rustdesk /usr/bin/hbbs -r $RELAY $PARAMS
+fi
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type
new file mode 100755
index 000000000..bdd22a185
--- /dev/null
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/type
@@ -0,0 +1 @@
+oneshot
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up
new file mode 100755
index 000000000..30ca6e851
--- /dev/null
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/set-user/up.real
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real
new file mode 100755
index 000000000..8117d6fac
--- /dev/null
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/set-user/up.real
@@ -0,0 +1,15 @@
+#!/command/with-contenv sh
+
+if [ "$(id -u)" -ne 0 ] ; then
+  # if the container is running unprivileged, we cannot manage users
+  exit
+fi
+
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+# usermod/groupmod is not present in this image, so we use this dirty trick
+sed -i "s/^rustdesk\:.*/rustdesk:x:${PGID}:rustdesk/" /etc/group
+sed -i "s/^rustdesk\:.*/rustdesk:x:${PUID}:${PGID}:Linux User,,,:\/data:\/bin\/sh/" /etc/passwd
+
+chown "${PUID}:${PGID}" "/data"
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/set-user b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/set-user
new file mode 100644
index 000000000..e69de29bb