diff --git a/Dockerfile b/Dockerfile
index 3a9760a82..b489ead95 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,31 @@
 FROM node:4.4
 
-RUN mkdir -p /usr/src/app
-WORKDIR /usr/src/app
-COPY package.json /usr/src/app/
+ENV user nodegoat_docker
+ENV workdir /usr/src/app/
+
+# Home is required for npm install. System account with no ability to login to shell
+RUN useradd --create-home --system --shell /bin/false $user
+
+RUN mkdir --parents $workdir
+WORKDIR $workdir
+COPY package.json $workdir
+
+# chown is required by npm install as a non-root user.
+RUN chown $user:$user --recursive $workdir
+
+# Then all further actions including running the containers should be done under non-root user.
+USER $user
 RUN npm install
-COPY . /usr/src/app/
+COPY . $workdir
+
+# Permissions need to be reapplied, due to how docker applies root to new files.
+USER root
+RUN chown $user:$user --recursive $workdir
+RUN chmod --recursive o-wrx $workdir
+
+RUN ls -liah
+RUN ls ../ -liah
+USER $user
 
 # Neither of the following work, because the mongo container isn't yet running.
 #RUN node artifacts/db-reset.js
diff --git a/docker-compose.yml b/docker-compose.yml
index 3afdf1bd7..633e6e725 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,5 +10,6 @@ services:
       - mongo
   mongo:
     image: mongo:latest
+    user: mongodb
     expose:
       - "27017"
diff --git a/package.json b/package.json
index d8607ac11..368b70a52 100644
--- a/package.json
+++ b/package.json
@@ -29,7 +29,7 @@
   },
   "devDependencies": {
     "async": "^2.0.0-rc.4",
-    "grunt": "^1.0.1",
+    "grunt": "~0.4.5",
     "grunt-cli": "^1.2.0",
     "grunt-concurrent": "^2.3.0",
     "grunt-contrib-jshint": "^1.0.0",