diff --git a/Dockerfile.template b/Dockerfile.template
index 50d8586..8bf8946 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -1,5 +1,9 @@
 FROM ${DOCKER_PREFIX}portal-env:${DOCKER_TAG}-onbuild
 
+# Default user is "wicked", but we need root to set all access rights
+# correctly, and then start node as wicked using gosu.
+USER root
+
 EXPOSE 3001
 
 RUN cp -R /usr/src/portal-env/initial-config /var/portal-api
diff --git a/bin/api b/bin/api
index 4f97f0a..b96a053 100755
--- a/bin/api
+++ b/bin/api
@@ -24,6 +24,8 @@ var port = normalizePort(process.env.PORT || '3001');
 app.set('port', port);
 
 console.log("Portal API environment: " + app.get('env'));
+const osUsername = getOsUsername();
+console.log("Running as user '" + osUsername + "'");
 
 var environment = app.get('env');
 var staticConfigPath = envReader.resolveStaticConfig();
@@ -101,7 +103,7 @@ initializer.checkDynamicConfig(app, function (err, results) {
     server.on('listening', onListening);
 
     // Graceful shutdown
-    const shutdown = function(signal) {
+    const shutdown = function (signal) {
         app.shuttingDown = true;
         console.log("Received " + signal + ". Gracefully shutting down.");
         setTimeout(process.exit, 1000);
@@ -179,4 +181,9 @@ function findEnvKeyFileName(baseDir) {
             return path.join(baseDir, fileName);
     }
     return null;
+}
+
+function getOsUsername() {
+    var username = require('child_process').execSync("whoami", { encoding: 'utf8', timeout: 1000 });
+    return String(username).trim();
 }
\ No newline at end of file
diff --git a/bin/docker-start.sh b/bin/docker-start.sh
index 9e93dba..35d99e8 100755
--- a/bin/docker-start.sh
+++ b/bin/docker-start.sh
@@ -82,8 +82,12 @@ printf ${tempMd5Hash:0:32} > /var/portal-api/static/confighash
 echo "Hash: $(cat /var/portal-api/static/confighash)"
 popd
 
+export
+
+echo "Setting owner of /var/portal-api to wicked:wicked"
+chown -R wicked:wicked /var/portal-api
+
 echo "Starting API..."
 
-# Use direct starting via node, as npm prevents
-# SIGTERM being passed in to the node process.
-node bin/api
+# Use gosu to start node as the user "wicked"
+gosu wicked node bin/api