diff --git a/Dockerfile b/Dockerfile
index 9d8886f92ff916a611b71e9fadc6a7ef50233e88..fb54a4503f44ef2db91c15e9afb7357683543e51 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -78,3 +78,11 @@ RUN set -e; \
     apt-get clean -y; \
     rm -f /var/lib/apt/lists/*_*; \
     rm -rf /root/.cache
+
+# Drop privileges for runtime
+FROM clean AS unprivileged
+WORKDIR /var/lib/aleksis
+RUN chown -R www-data:www-data \
+        /var/lib/aleksis \
+        /usr/share/aleksis/static
+USER www-data:www-data