diff --git a/images/prowlarr/Dockerfile b/images/prowlarr/Dockerfile
index 42ce21e..82a4bc9 100644
--- a/images/prowlarr/Dockerfile
+++ b/images/prowlarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download prowlarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Prowlarr /Prowlarr
 
+USER nonroot
 ENTRYPOINT ["/Prowlarr/Prowlarr", "--nobrowser", "--data=/config"]
diff --git a/images/radarr/Dockerfile b/images/radarr/Dockerfile
index c77e9c2..e3934cb 100644
--- a/images/radarr/Dockerfile
+++ b/images/radarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download radarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Radarr /Radarr
 
+USER nonroot
 ENTRYPOINT ["/Radarr/Radarr", "--nobrowser", "--data=/config"]
diff --git a/images/sonarr/Dockerfile b/images/sonarr/Dockerfile
index 1fc8d11..250d0f3 100644
--- a/images/sonarr/Dockerfile
+++ b/images/sonarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download sonarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Sonarr /Sonarr
 
+USER nonroot
 ENTRYPOINT ["/Sonarr/Sonarr", "--nobrowser", "--data=/config"]