diff --git a/Dockerfile b/Dockerfile
index 0679b290..91d2012b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@
 # https://github.com/nodejs/LTS
 FROM node:4-slim
 
+RUN groupadd user && useradd --create-home --home-dir /home/user -g user user
+
 # grab gosu for easy step-down from root
 ENV GOSU_VERSION 1.7
 RUN set -x \
@@ -36,7 +38,12 @@ RUN buildDeps=' \
 	&& rm -rf /tmp/npm*
 
 ENV GHOST_CONTENT /var/lib/ghost
-RUN mkdir -p "$GHOST_CONTENT"
+RUN mkdir -p "$GHOST_CONTENT" \
+	&& chown -R user:user "$GHOST_CONTENT" \
+# Ghost expects "config.js" to be in $GHOST_SOURCE, but it's more useful for
+# image users to manage that as part of their $GHOST_CONTENT volume, so we
+# symlink.
+	&& ln -s "$GHOST_CONTENT/config.js" "$GHOST_SOURCE/config.js"
 VOLUME $GHOST_CONTENT
 
 COPY docker-entrypoint.sh /entrypoint.sh
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index a941aa9c..18f120be 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -1,6 +1,12 @@
 #!/bin/bash
 set -e
 
+# allow the container to be started with `--user`
+if [[ "$*" == npm*start* ]] && [ "$(id -u)" = '0' ]; then
+	chown -R user "$GHOST_CONTENT"
+	exec gosu user "$BASH_SOURCE" "$@"
+fi
+
 if [[ "$*" == npm*start* ]]; then
 	baseDir="$GHOST_SOURCE/content"
 	for dir in "$baseDir"/*/ "$baseDir"/themes/*/; do
@@ -17,17 +23,6 @@ if [[ "$*" == npm*start* ]]; then
 			s!path.join\(__dirname, (.)/content!path.join(process.env.GHOST_CONTENT, \1!g;
 		' "$GHOST_SOURCE/config.example.js" > "$GHOST_CONTENT/config.js"
 	fi
-
-	ln -sf "$GHOST_CONTENT/config.js" "$GHOST_SOURCE/config.js"
-
-        PUID=${PUID:-1001}
-        PGID=${PGID:-1001}
-        groupadd -o -g "$PGID" user
-        useradd --create-home --home-dir /home/user -g user -o -u "$PUID" user
-
-	chown -R user:user "$GHOST_CONTENT"
-
-	set -- gosu user "$@"
 fi
 
 exec "$@"