diff --git a/build-workspace.sh b/build-workspace.sh
index e69c0fd..8a43805 100755
--- a/build-workspace.sh
+++ b/build-workspace.sh
@@ -14,16 +14,17 @@ ctr=$(buildah from archlinux)
 buildah run "$ctr" -- bash -c "\
   pacman -Sy --noconfirm && pacman -S --noconfirm neovim git zsh tmux podman \
   fzf fd ripgrep jdk-openjdk && pacman -Scc --noconfirm && \
-  useradd -ms /bin/zsh $DEV_USER && \
-  useradd --system --no-create-home --shell /usr/sbin/nologin viewer && \
-  usermod -aG $DEV_USER viewer && mkdir -p /tmp/tmux-shared && \
-  mkdir -p $DEV_HOME/.gnupg && mkdir -p $SECURE
+  groupadd secproc && useradd -ms /bin/zsh -G secproc $DEV_USER && \
+  useradd --system --no-create-home -s /usr/sbin/nologin -G $DEV_USER viewer && \
+  mkdir -p /tmp/tmux-shared && chown -R $DEV_USER:$DEV_USER /tmp/tmux-shared && \
+  mkdir -p $SECURE && chmod -R 500 $SECURE && \
+  mkdir /app && chmod 700 /app && chown $DEV_USER:$DEV_USER /app
 "
 # copy start script
-buildah copy "$ctr" start.sh /start.sh
+buildah copy "$ctr" start.sh $DEV_HOME/start.sh
 
 # copy ssh setup
-buildah copy "$ctr" ssh "$SECURE"/ssh
+buildah copy "$ctr" ssh $SECURE/ssh
 
 # copy zshrc, neovim and tmux setup
 buildah copy "$ctr" zshrc $DEV_HOME/.zshrc
@@ -32,21 +33,17 @@ buildah copy "$ctr" local $DEV_HOME/.local
 
 # zsh and tmux config (immutable)
 buildah run "$ctr" -- bash -c "
-  find $DEV_HOME -type f -exec chmod 400 {} + && \
-  find $DEV_HOME -type f -exec chattr +i {} + && \
-  find $DEV_HOME -type d -exec chmod 700 {} + && \
-  chmod 750 /tmp/tmux-shared && chmod -R 500 $SECURE && \
-  chmod +x /start.sh && \
   chown -R $DEV_USER:$DEV_USER $DEV_HOME && \
-  chattr -R +x $DEV_HOME && chattr +x /tmp/tmux-shared && \
-  chown -R $DEV_USER:$DEV_USER /tmp/tmux-shared
+  find $DEV_HOME -type f -exec chmod 750 {} + && \
+  find $DEV_HOME -type f -exec chown root:secproc {} + && \
+  setfacl -R -m u:devuser:--x $DEV_HOME && \ 
 "
 
 buildah config \
   --user $DEV_USER \
   --workingdir /app \
   --env CONTAINER_HOST=unix:///run/podman/podman.sock \
-  --cmd "/start.sh" \
+  --cmd "$DEV_HOME/start.sh" \
   "$ctr"
 
 buildah commit "$ctr" $IMG_NAME