diff --git a/match_collector/Dockerfile b/match_collector/Dockerfile
index 25a1dc9..05594ac 100644
--- a/match_collector/Dockerfile
+++ b/match_collector/Dockerfile
@@ -20,9 +20,14 @@ RUN npm install
 COPY --chown=node:node match_collector/. .
 
 FROM node:current-alpine
+# Install su-exec for dropping privileges
+RUN apk add --no-cache su-exec
 RUN mkdir -p /home/node/app && chown -R node:node /home/node/app
 WORKDIR /home/node/app
-USER node
 COPY --from=build --chown=node:node /home/node/app/match_collector/node_modules ./node_modules
 COPY --from=build --chown=node:node /home/node/app/match_collector/. .
+COPY --chown=node:node match_collector/docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+# Run entrypoint as root to fix permissions, then drop to node user
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 CMD ["/bin/sh", "-c", "node --import=tsx src/index.ts; sleep 20h"]
diff --git a/match_collector/docker-entrypoint.sh b/match_collector/docker-entrypoint.sh
new file mode 100644
index 0000000..0fa458b
--- /dev/null
+++ b/match_collector/docker-entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Fix permissions on the cdragon cache directory if it exists
+if [ -d "/cdragon" ]; then
+  # Ensure the node user owns the cdragon directory
+  chown -R node:node /cdragon 2>/dev/null || true
+fi
+
+# Execute the main command as the node user
+exec su-exec node "$@"