diff --git a/README.md b/README.md
index 9616c13..49c2a4c 100644
--- a/README.md
+++ b/README.md
@@ -99,6 +99,8 @@ services:
       - TZ=Europe/London
       - CONNECTION_TOKEN=supersecrettoken #optional
       - CONNECTION_SECRET= #optional
+      - SUDO_PASSWORD=password #optional
+      - SUDO_PASSWORD_HASH= #optional
     volumes:
       - /path/to/appdata/config:/config
     ports:
@@ -116,6 +118,8 @@ docker run -d \
   -e TZ=Europe/London \
   -e CONNECTION_TOKEN=supersecrettoken `#optional` \
   -e CONNECTION_SECRET= `#optional` \
+  -e SUDO_PASSWORD=password `#optional` \
+  -e SUDO_PASSWORD_HASH= `#optional` \
   -p 3000:3000 \
   -v /path/to/appdata/config:/config \
   --restart unless-stopped \
@@ -134,6 +138,8 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-e TZ=Europe/London` | Specify a timezone to use. |
 | `-e CONNECTION_TOKEN=supersecrettoken` | Optional security token for accessing the Web UI. |
 | `-e CONNECTION_SECRET=` | Optional path to a file inside the container that contains the security token for accessing the Web UI (ie. `/path/to/file`). Overrides `CONNECTION_TOKEN`. |
+| `-e SUDO_PASSWORD=password` | If this optional variable is set, user will have sudo access in the openvscode-server terminal with the specified password. |
+| `-e SUDO_PASSWORD_HASH=` | Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`. |
 | `-v /config` | Contains all relevant configuration files. |
 
 ## Environment variables from files (Docker secrets)
@@ -245,6 +251,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **30.11.21:** - Fix app folder permissions, add the optional sudo password vars.
 * **29.11.21:** - Create `.profile` and `.bashrc` for the user.
 * **29.11.21:** - Release `insiders` tag.
 * **28.11.21:** - Initial Release.
diff --git a/readme-vars.yml b/readme-vars.yml
index 629d21f..af01a1e 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -37,6 +37,8 @@ opt_param_usage_include_env: true
 opt_param_env_vars:
   - { env_var: "CONNECTION_TOKEN", env_value: "supersecrettoken", desc: "Optional security token for accessing the Web UI." }
   - { env_var: "CONNECTION_SECRET", env_value: "", desc: "Optional path to a file inside the container that contains the security token for accessing the Web UI (ie. `/path/to/file`). Overrides `CONNECTION_TOKEN`." }
+  - { env_var: "SUDO_PASSWORD", env_value: "password", desc: "If this optional variable is set, user will have sudo access in the openvscode-server terminal with the specified password." }
+  - { env_var: "SUDO_PASSWORD_HASH", env_value: "", desc: "Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`." }
 
 optional_block_1: false
 optional_block_1_items: ""
@@ -60,6 +62,7 @@ app_setup_block: |
 
 # changelog
 changelogs:
+  - { date: "30.11.21:", desc: "Fix app folder permissions, add the optional sudo password vars." }
   - { date: "29.11.21:", desc: "Create `.profile` and `.bashrc` for the user." }
   - { date: "29.11.21:", desc: "Release `insiders` tag." }
   - { date: "28.11.21:", desc: "Initial Release." }
diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config
index 9cfe88d..a904f00 100644
--- a/root/etc/cont-init.d/30-config
+++ b/root/etc/cont-init.d/30-config
@@ -34,11 +34,14 @@ if [ -f "/usr/bin/find" ] && [ -f "/usr/bin/xargs" ]; then
 
     echo "setting permissions::workspace"
     chown abc:abc /config/workspace
+    echo "setting permissions::app"
+    chown -R abc:abc /app/openvscode-server
 else
     # Set permissions on data mount
     # do not decend into the workspace
     chown -R abc:abc "$(ls /config -I workspace)"
     chown abc:abc /config/workspace
+    chown -R abc:abc /app/openvscode-server
 fi
 chmod 700 /config/.ssh
 if [ -n "$(ls -A /config/.ssh)" ]; then