diff --git a/Dockerfile b/Dockerfile
index 92088c8..c2c3028 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@
 FROM python:alpine
 
 RUN apk update
-RUN apk add g++ git pcre2-dev libnetfilter_queue-dev libpcap-dev libcrypto1.1 libnfnetlink-dev libmnl-dev make cmake nftables boost-dev
+RUN apk add g++ git pcre2-dev libnetfilter_queue-dev libpcap-dev libcrypto1.1 libnfnetlink-dev libmnl-dev make cmake nftables boost-dev libcap shadow bash
 
 WORKDIR /tmp/
 RUN git clone --single-branch --branch release https://github.com/jpcre2/jpcre2
@@ -12,12 +12,19 @@ RUN ./configure; make; make install
 WORKDIR /tmp/libtins
 RUN mkdir build; cd build; cmake ../ -DLIBTINS_ENABLE_CXX11=1; make; make install
 
-
 RUN mkdir -p /execute/modules
+
+
 WORKDIR /execute
 
 ADD ./backend/requirements.txt /execute/requirements.txt
-RUN pip3 install --no-cache-dir -r /execute/requirements.txt
+
+RUN pip3 install --no-cache-dir -r /execute/requirements.txt --no-warn-script-location
+
+RUN chown nobody:nobody -R /execute/
+RUN usermod -d /tmp/nobody nobody && usermod --shell /bin/sh nobody
+USER nobody
+RUN mkdir /tmp/nobody
 
 COPY ./backend/binsrc /execute/binsrc
 
@@ -25,9 +32,11 @@ ARG GCC_PARAMS
 RUN g++ binsrc/nfqueue.cpp -o modules/cppqueue -O3 -march=native -lnetfilter_queue -pthread -lpcre2-8 -ltins -lmnl -lnfnetlink
 RUN g++ binsrc/proxy.cpp -o modules/proxy -O3 -march=native $GCC_PARAMS -pthread -lboost_system -lboost_thread -lpcre2-8
 
+
 COPY ./backend/ /execute/
 COPY ./frontend/build/ ./frontend/
 
-ENTRYPOINT ["python3", "app.py", "DOCKER"]
+USER root
+ENTRYPOINT ["/bin/sh", "/execute/docker-entrypoint.sh"]
 
 
diff --git a/backend/binsrc/nfqueue.cpp b/backend/binsrc/nfqueue.cpp
index f5267a1..224ad85 100644
--- a/backend/binsrc/nfqueue.cpp
+++ b/backend/binsrc/nfqueue.cpp
@@ -44,10 +44,6 @@ bool filter_callback(const uint8_t *data, uint32_t len){
 
 int main(int argc, char *argv[])
 {
-	if(!is_sudo()){
-		cerr << "[fatal] [main] You must be root to run this program" << endl;
-		exit(EXIT_FAILURE);
-	}
 	int n_of_threads = 1;
 	if (argc >= 2) n_of_threads = atoi(argv[1]);
 	if(n_of_threads <= 0) n_of_threads = 1;
diff --git a/backend/binsrc/utils.hpp b/backend/binsrc/utils.hpp
index d7a092a..9d40366 100644
--- a/backend/binsrc/utils.hpp
+++ b/backend/binsrc/utils.hpp
@@ -20,9 +20,4 @@ bool unhexlify(std::string const &hex, std::string &newString) {
    }
 }
 
-
-bool is_sudo(){
-	return getuid() == 0;
-}
-
 #endif
\ No newline at end of file
diff --git a/backend/docker-entrypoint.sh b/backend/docker-entrypoint.sh
new file mode 100644
index 0000000..6d7520a
--- /dev/null
+++ b/backend/docker-entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+chown nobody:nobody -R /execute/
+
+capsh --caps="cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep" \
+    --keep=1 --user=nobody --addamb=cap_net_admin -- \
+    -c "python3 /execute/app.py DOCKER"
+
+