diff --git a/Dockerfile b/Dockerfile
index 9ace4b0..1913b68 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -55,6 +55,8 @@ COPY ./build/dev/services/ /etc/supervisor.d/
 COPY ./build/dev/Caddyfile /etc/Caddyfile
 COPY ./build/dev/entrypoint.sh /var/app/entrypoint.sh
 
+RUN apk add --no-cache shadow
+
 RUN chmod a+x /var/app/entrypoint.sh
 
 USER root
diff --git a/README.md b/README.md
index 44a16ee..b331273 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,8 @@ host OS to take advantage of this file, but all instructions are provided in bot
 
 Copy `dev.dist.env` to `dev.env` and update it with any missing secrets.
 
+Update `PUID` and `PGID` to your local user/group ID respectively (the values of `id -u` and `id -g`) to ensure permissions match correctly.
+
 The database will be created from the DB migrations (in `/db/migrations`) on initial startup.
 
 The following user accounts are created on local dev, all with the password `WaterWolf!`:
diff --git a/build/dev/entrypoint.sh b/build/dev/entrypoint.sh
index 0966358..5f7a13e 100644
--- a/build/dev/entrypoint.sh
+++ b/build/dev/entrypoint.sh
@@ -1,5 +1,12 @@
 #!/bin/bash
 
+# Set UID/GID
+PUID="${PUID:-1000}"
+PGID="${PGID:-1000}"
+
+groupmod -o -g "$PGID" app
+usermod -o -u "$PUID" app
+
 # Write environment variables to script
 declare -p | grep -Ev 'BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID' > /container.env
 chmod 744 /container.env
diff --git a/dev.dist.env b/dev.dist.env
index cce12e9..0368c26 100644
--- a/dev.dist.env
+++ b/dev.dist.env
@@ -2,6 +2,9 @@
 # The passwords are randomly generated, but things like MariaDB are never exposed
 # to the web in local
 
+PUID=1000
+PGID=1000
+
 # Database username used by the app
 MARIADB_USER="web"