diff --git a/flake.nix b/flake.nix
index e3b9182..9ab4655 100644
--- a/flake.nix
+++ b/flake.nix
@@ -118,13 +118,13 @@
 
               users.mutableUsers = false;
               users.users.appvm = {
-                uid = 1001;
+                uid = 1337;
                 isNormalUser = true;
                 home = "/home/appvm";
                 description = "microVM User";
                 extraGroups = [ "wheel" "video" "input" ];
               };
-              users.groups.appvm.gid = 1001;
+              users.groups.appvm.gid = 1337;
               users.allowNoPasswordLogin = true;
 
               hardware.graphics.enable = true;
diff --git a/munix b/munix
index fab5448..59e9ea0 100755
--- a/munix
+++ b/munix
@@ -5,6 +5,8 @@ PASST_PATH=$(dirname $(which passt))
 HOST_OPENGL_DRIVER=/run/opengl-driver
 MICROVM_CLOSURE=
 MICROVM_COMMAND=()
+MICROVM_UID=1337
+MICROVM_GID=1337
 BWRAP_ARGS=()
 MUVM_ARGS=()
 GPU=1
@@ -15,6 +17,8 @@ export TMP=/tmp TMPDIR=/tmp TEMP=/tmp TEMPDIR=/tmp LC_ALL=C
 
 while [ "$#" -gt 0 ]; do
   case "$1" in
+    -u|--uid) MICROVM_UID="$2"; shift 2;;
+    -g|--gid) MICROVM_GID="$2"; shift 2;;
     --no-gpu) GPU=0; shift 1;;
     --no-wayland) WAYLAND=0; shift 1;;
     --no-pipewire) PIPEWIRE=0; shift 1;;
@@ -95,7 +99,7 @@ else
 fi
 
 exec bwrap --unshare-all --share-net \
-  --uid 1001 --gid 1001 \
+  --uid $MICROVM_UID --gid $MICROVM_GID \
   --tmpfs / \
   --dir /run --dir /var --symlink /run /var/run --dir /tmp \
   --proc /proc --ro-bind /sys /sys \
@@ -108,13 +112,23 @@ exec bwrap --unshare-all --share-net \
   --ro-bind /nix/store /nix/store \
   --ro-bind /run/systemd/resolve /run/systemd/resolve \
   --ro-bind /etc/resolv.conf /etc/resolv.conf \
-  --ro-bind /etc/group /etc/group \
-  --ro-bind /etc/passwd /etc/passwd \
+  --file 11 /etc/passwd \
+  --file 12 /etc/group \
   --dir "$XDG_RUNTIME_DIR" \
   --setenv PATH "/run/munix/muvm:/run/munix/passt:$MICROVM_CLOSURE/sw/bin" \
   "${BWRAP_ARGS[@]}" \
   muvm \
     -x /usr/bin/munix-init-root -X /usr/bin/munix-init-user --udevd-path="$MICROVM_CLOSURE/sw/bin/true" \
     "${MUVM_ARGS[@]}" \
-    -e MICROVM_CLOSURE="$MICROVM_CLOSURE" \
-    -i -t "${MICROVM_COMMAND[@]}"
+    -e MICROVM_CLOSURE="$MICROVM_CLOSURE" -e MICROVM_UID="$MICROVM_UID" -e MICROVM_GID="$MICROVM_GID" \
+    -i -t "${MICROVM_COMMAND[@]}" \
+  11< <(cat <<EOF
+munix:x:$MICROVM_UID:$MICROVM_GID:Hypervisor:/:/run/current-system/sw/bin/nologin
+nobody:x:65534:65534:Unprivileged account:/var/empty:/run/current-system/sw/bin/nologin
+EOF
+) \
+  12< <(cat <<EOF
+munix:x:$MICROVM_GID:
+nogroup:x:65534:
+EOF
+)
diff --git a/munix-init-root b/munix-init-root
index 4a166a9..71af6ea 100755
--- a/munix-init-root
+++ b/munix-init-root
@@ -17,7 +17,7 @@ $MICROVM_CLOSURE/activate >/run/log/activate.spam 2>&1
 
 umount /dev/shm # restore the original virtiofs dax shm though
 
-chown 1001:1001 /run /dev # avoid "Detected unsafe path transition"
+chown $MICROVM_UID:$MICROVM_GID /run /dev # avoid "Detected unsafe path transition"
 systemd-tmpfiles --create >/run/log/tmpfiles.spam 2>&1
 
 systemd-machine-id-setup >/dev/null 2>&1