diff --git a/Runner.Dockerfile b/Runner.Dockerfile
index fa3dfc3..e2f2e71 100644
--- a/Runner.Dockerfile
+++ b/Runner.Dockerfile
@@ -15,7 +15,7 @@ FROM docker.io/library/debian:bookworm-slim
 
 WORKDIR /app
 RUN    apt-get update && apt-get upgrade -y \
-    && apt-get install -y ca-certificates libnl-route-3-200 libprotobuf32 tini \
+    && apt-get install -y ca-certificates gosu libnl-route-3-200 libprotobuf32 tini \
     && apt-get clean && rm -rf /var/lib/apt/lists
 
 # rootfs
diff --git a/Server.Dockerfile b/Server.Dockerfile
index 18a8a48..9252f37 100644
--- a/Server.Dockerfile
+++ b/Server.Dockerfile
@@ -12,7 +12,7 @@ RUN find /app -type f -name "*.map" -delete
 FROM docker.io/library/alpine
 
 WORKDIR /app
-RUN apk --no-cache add tzdata ca-certificates bash
+RUN apk --no-cache add tzdata ca-certificates bash su-exec
 
 COPY --from=base /builder/config.docker.yaml /app
 COPY --from=base /builder/docker-entrypoint.sh /app
diff --git a/docker-compose.yml b/docker-compose.yml
index 2d6ca3f..a77b2d3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   server:
-    image: git.0x7f.app/woj/woj-server:1.3.1-dev
+    image: quay.io/ldcraft/woj-server:1.3.1-dev
     restart: unless-stopped
     healthcheck:
       test: [ "CMD", "wget", "-q", "-O", "/dev/null", "http://127.0.0.1:8000/health" ]
@@ -27,7 +27,7 @@ services:
       - "8000:8000"
 
   runner:
-    image: git.0x7f.app/woj/woj-runner:1.3.1-dev
+    image: quay.io/ldcraft/woj-runner:1.3.1-dev
     restart: unless-stopped
     command: runner
     privileged: true
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index dea0112..65561d4 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -136,11 +136,37 @@ setup_cgroups() {
     sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/nsjail/cgroup.controllers > /sys/fs/cgroup/nsjail/cgroup.subtree_control
 }
 
-if [ -n "$SETUP_CGROUP" ]; then
-    setup_cgroups
-fi
+setup_user_runner() {
+    # runner use debian as base image
+    groupadd -g 1000         woj
+    useradd  -g 1000 -u 1000 woj
+    # runner data
+    chown -R woj:woj /app/resource/runner/problem || true
+    chown -R woj:woj /app/resource/runner/tmp     || true
+    chown -R woj:woj /app/resource/runner/user    || true
+    # cgroups
+    chown -R woj:root /sys/fs/cgroup/nsjail
+}
 
+setup_user_server() {
+    # server use alpine as base image
+    addgroup -g 1000 -S woj
+    adduser  -u 1000 -S -G woj woj
+}
+
+setup_user() {
+    if [ -n "$RUNNER_IMAGE" ]; then
+        setup_user_runner
+    else
+        setup_user_server
+    fi
+}
+
+if [ -n "$RUNNER_IMAGE" ]; then setup_cgroups; fi
 generate_config
+setup_user
 
 log_info "starting woj"
-exec /app/woj "$@"
+if [ -n "$RUNNER_IMAGE" ]; then EXEC=gosu; else EXEC=su-exec; fi
+exec $EXEC /app/woj "$@"
+