diff --git a/Makefile b/Makefile
index efe111d..1d4b540 100644
--- a/Makefile
+++ b/Makefile
@@ -12,7 +12,7 @@ run: cloner
 	docker run -v $(GLOBALVOL):/data -it --rm $(TAGBASE)
 
 run-once: cloner
-	docker run -v $(GLOBALVOL):/data -it --rm --user=executor $(TAGBASE) /usr/local/bin/cron-command
+	docker run -v $(GLOBALVOL):/data -it --rm $(TAGBASE) /usr/local/bin/cron-command
 
 run-bash: cloner
 	docker run -v $(GLOBALVOL):/data -it --rm $(TAGBASE) /bin/bash
diff --git a/dockerbin/cron-command b/dockerbin/cron-command
index 4bd49b7..3f8be34 100755
--- a/dockerbin/cron-command
+++ b/dockerbin/cron-command
@@ -2,6 +2,13 @@
 set -euo pipefail
 IFS=$'\n\t'
 
+# if started as root
+if [ $UID -eq 0 ]
+then
+	find /data \! -user executor -exec chown executor:executor {} \;
+	su executor -c cron-command
+	exit $?
+fi
 # check lock
 lock=/var/run/cloner.pid
 
diff --git a/dockerbin/wizzard b/dockerbin/wizzard
index 080dd4d..9f3469e 100755
--- a/dockerbin/wizzard
+++ b/dockerbin/wizzard
@@ -2,6 +2,14 @@
 set -euo pipefail
 IFS=$'\n\t'
 
+# if started as root
+if [ $UID -eq 0 ]
+then
+	chown executor:executor /data
+	su executor -c wizzard
+	exit $?
+fi
+
 dir_prefix=cloner
 
 function die(){
@@ -88,7 +96,7 @@ function reuseSSHKey(){
 	sed -e 's/#.*$//' $scratch > $keyfile
 	rm $scratch
 	echo "Checking key..."
-	chmod 0600 $keyfile
+	chmod 0700 $keyfile
 	ssh-keygen -y -f $keyfile -P ""	|| true # will fail in the end, so script will continue and clean up the mess
 }