diff --git a/Dockerfile b/Dockerfile
index 345001b..26eefd8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -41,13 +41,20 @@ RUN cd /tmp/signal-cli-rest-api-src && swag init && go build
 # Start a fresh container for release container
 FROM adoptopenjdk:11-jdk-hotspot-bionic
 
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends setpriv \
+	&& rm -rf /var/lib/apt/lists/* 
+
 COPY --from=buildcontainer /tmp/signal-cli-rest-api-src/signal-cli-rest-api /usr/bin/signal-cli-rest-api
 COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli
+COPY entrypoint.sh /entrypoint.sh
 
-RUN ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli
-RUN mkdir -p /signal-cli-config/
-RUN mkdir -p /home/.local/share/signal-cli
+RUN groupadd -g 1000 signal-api \
+	&& useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api \
+	&& ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli \
+	&& mkdir -p /signal-cli-config/ \
+	&& mkdir -p /home/.local/share/signal-cli
 
 EXPOSE 8080
 
-ENTRYPOINT ["signal-cli-rest-api"]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100755
index 0000000..1439eb8
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -x
+set -e
+
+# Fix permissions to ensure backward compatibility
+chown 1000:1000 -R /home/.local/share/signal-cli
+
+# Show warning on docker exec
+cat <<EOF >> /root/.bashrc
+echo "WARNING: signal-cli-rest-api runs as signal-api (not as root!)" 
+echo "Run 'su signal-api' before using signal-cli!"
+EOF
+
+# Start API as signal-api user
+exec setpriv --reuid=1000 --regid=1000 --init-groups --inh-caps=-all signal-cli-rest-api $@