diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2e31d6107..2a96d522f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,7 +32,7 @@ All notable changes to this project will be documented in this file.
 - Enable [Docker build checks](https://docs.docker.com/build/checks/) ([#872]).
 - java: migrate to temurin jdk/jre ([#894]).
 - tools: bump kubectl to `1.31.1` and jq to `1.7.1` ([#896]).
-- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890]).
+- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890], [#897]).
 - ci: Bump `stackabletech/actions` to 0.0.7 ([#901], [#903]).
 
 ### Removed
@@ -87,6 +87,7 @@ All notable changes to this project will be documented in this file.
 [#890]: https://github.com/stackabletech/docker-images/pull/890
 [#894]: https://github.com/stackabletech/docker-images/pull/894
 [#896]: https://github.com/stackabletech/docker-images/pull/896
+[#897]: https://github.com/stackabletech/docker-images/pull/897
 [#898]: https://github.com/stackabletech/docker-images/pull/898
 [#901]: https://github.com/stackabletech/docker-images/pull/901
 [#903]: https://github.com/stackabletech/docker-images/pull/903
diff --git a/airflow/Dockerfile b/airflow/Dockerfile
index 5cefe0079..033d4aa71 100644
--- a/airflow/Dockerfile
+++ b/airflow/Dockerfile
@@ -135,6 +135,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
diff --git a/druid/Dockerfile b/druid/Dockerfile
index a294ac552..6cc597774 100644
--- a/druid/Dockerfile
+++ b/druid/Dockerfile
@@ -126,6 +126,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 ENV PATH="${PATH}":/stackable/druid/bin
 
diff --git a/hadoop/Dockerfile b/hadoop/Dockerfile
index 124a7abc4..28e65634c 100644
--- a/hadoop/Dockerfile
+++ b/hadoop/Dockerfile
@@ -177,6 +177,13 @@ EOF
 
 COPY hadoop/licenses /licenses
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 ENV HOME=/stackable
diff --git a/hbase/Dockerfile b/hbase/Dockerfile
index d72343144..7b9db6c3e 100644
--- a/hbase/Dockerfile
+++ b/hbase/Dockerfile
@@ -362,6 +362,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 ENV HBASE_CONF_DIR=/stackable/hbase/conf
 ENV HOME=/stackable
diff --git a/hello-world/Dockerfile b/hello-world/Dockerfile
index 9680043b6..3a27047cf 100644
--- a/hello-world/Dockerfile
+++ b/hello-world/Dockerfile
@@ -28,6 +28,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
diff --git a/hive/Dockerfile b/hive/Dockerfile
index 794faef6b..d3f5f61ae 100644
--- a/hive/Dockerfile
+++ b/hive/Dockerfile
@@ -142,6 +142,13 @@ EOF
 COPY --chown=${STACKABLE_USER_UID}:0 --from=hive-builder /stackable/jmx /stackable/jmx
 COPY hive/licenses /licenses
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 ENV HADOOP_HOME=/stackable/hadoop
diff --git a/kafka/Dockerfile b/kafka/Dockerfile
index 4fac60a91..c8ae7f05e 100644
--- a/kafka/Dockerfile
+++ b/kafka/Dockerfile
@@ -102,6 +102,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 ENV PATH="${PATH}:/stackable/bin:/stackable/kafka/bin"
diff --git a/nifi/Dockerfile b/nifi/Dockerfile
index 472be39a5..4fd145c65 100644
--- a/nifi/Dockerfile
+++ b/nifi/Dockerfile
@@ -129,6 +129,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 ENV HOME=/stackable
diff --git a/omid/Dockerfile b/omid/Dockerfile
index 1c7d14f82..38cec3337 100644
--- a/omid/Dockerfile
+++ b/omid/Dockerfile
@@ -101,6 +101,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/omid-tso-server
 
diff --git a/opa/Dockerfile b/opa/Dockerfile
index 1979cd061..b25cc0e2d 100644
--- a/opa/Dockerfile
+++ b/opa/Dockerfile
@@ -133,6 +133,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/opa
 
diff --git a/spark-k8s/Dockerfile b/spark-k8s/Dockerfile
index 965efdaf3..e68a18721 100644
--- a/spark-k8s/Dockerfile
+++ b/spark-k8s/Dockerfile
@@ -328,6 +328,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 WORKDIR /stackable/spark
diff --git a/stackable-base/Dockerfile b/stackable-base/Dockerfile
index b7184dcc3..74460f534 100644
--- a/stackable-base/Dockerfile
+++ b/stackable-base/Dockerfile
@@ -155,7 +155,7 @@ chown ${STACKABLE_USER_UID}:0 /stackable/.bashrc
 chown ${STACKABLE_USER_UID}:0 /stackable/.profile
 
 cp /root/.curlrc /stackable/.curlrc
-chown stackable:0 /stackable/.curlrc
+chown ${STACKABLE_USER_UID}:0 /stackable/.curlrc
 
 # CVE-2023-37920: Remove "e-Tugra" root certificates
 # e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems
diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile
index 89195f078..a64efe36a 100644
--- a/statsd_exporter/Dockerfile
+++ b/statsd_exporter/Dockerfile
@@ -3,10 +3,11 @@
 
 FROM stackable/image/stackable-base
 ARG PRODUCT
+ARG STACKABLE_USER_UID
 
 WORKDIR /statsd_exporter
 
-RUN --mount=type=cache,id=go-statsd-exporter,uid=1000,target=/go_cache <<EOF
+RUN --mount=type=cache,id=go-statsd-exporter,uid=${STACKABLE_USER_UID},target=/go_cache <<EOF
 microdnf update
 
 # Tar and gzip are used to unpack the statsd_exporter source
diff --git a/superset/Dockerfile b/superset/Dockerfile
index 90e940c98..11d711b95 100644
--- a/superset/Dockerfile
+++ b/superset/Dockerfile
@@ -89,6 +89,7 @@ FROM stackable/image/vector
 ARG PRODUCT
 ARG PYTHON
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache Superset" \
       maintainer="info@stackable.tech" \
@@ -105,22 +106,37 @@ ENV FLASK_APP="superset.app:create_app()" \
 ENV PATH="${HOME}/app/bin:${PATH}" \
     PYTHONPATH="${HOME}/app/pythonpath"
 
-RUN microdnf update \
-    && microdnf install \
-        cyrus-sasl \
-        openldap \
-        openldap-clients \
-        openssl-libs \
-        openssl-pkcs11 \
-        python${PYTHON} \
-    && microdnf clean all && \
-    rm -rf /var/cache/yum
+RUN <<EOF
+microdnf update
+microdnf install \
+  cyrus-sasl \
+  openldap \
+  openldap-clients \
+  openssl-libs \
+  openssl-pkcs11 \
+  "python${PYTHON}"
+
+microdnf clean all
+rm -rf /var/cache/yum
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R "${STACKABLE_USER_UID}:0" /stackable
+chmod -R g=u /stackable
+EOF
 
 COPY superset/licenses /licenses
 
-COPY --from=builder --chown=stackable:stackable /stackable/ ${HOME}/
+COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /stackable/ ${HOME}/
+
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR ${HOME}
 
 CMD ["/bin/sh", "-c", \
diff --git a/tools/Dockerfile b/tools/Dockerfile
index b036e3fae..c13ce644a 100644
--- a/tools/Dockerfile
+++ b/tools/Dockerfile
@@ -8,6 +8,7 @@ ARG KUBECTL_VERSION
 ARG RELEASE
 ARG JQ_VERSION
 ARG TARGETARCH
+ARG STACKABLE_USER_UID
 
 LABEL name="Stackable Tools" \
     maintainer="info@stackable.tech" \
@@ -30,16 +31,30 @@ RUN microdnf update && \
 
 COPY tools/licenses /licenses
 
-USER stackable
 WORKDIR /stackable/bin
 ENV PATH=/stackable/bin:$PATH
 
 # Get latest stable version from curl -L -s https://dl.k8s.io/release/stable.txt
-RUN curl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl \
-    -o /stackable/bin/kubectl && chmod +x /stackable/bin/kubectl
-
-RUN curl https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 \
-    -o /stackable/bin/jq && \
-    chmod +x /stackable/bin/jq
-
-USER stackable
+RUN <<EOF
+curl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" \
+    -o /stackable/bin/kubectl
+chmod +x /stackable/bin/kubectl
+
+curl "https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64" \
+    -o /stackable/bin/jq
+chmod +x /stackable/bin/jq
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
+USER ${STACKABLE_USER_UID}
diff --git a/trino-cli/Dockerfile b/trino-cli/Dockerfile
index 29ff233f2..a61398d69 100644
--- a/trino-cli/Dockerfile
+++ b/trino-cli/Dockerfile
@@ -5,6 +5,7 @@ FROM stackable/image/java-base
 
 ARG PRODUCT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Trino CLI" \
       maintainer="info@stackable.tech" \
@@ -22,14 +23,27 @@ RUN microdnf update && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
-USER stackable
-WORKDIR /stackable
 
-COPY --chown=stackable:stackable trino-cli/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 trino-cli/licenses /licenses
 
 WORKDIR /stackable/trino-cli
 
-RUN curl -O https://repo.stackable.tech/repository/packages/trino-cli/trino-cli-${PRODUCT}-executable.jar \
-    && ln -s trino-cli-${PRODUCT}-executable.jar trino-cli-executable.jar
+RUN <<EOF
+curl -O "https://repo.stackable.tech/repository/packages/trino-cli/trino-cli-${PRODUCT}-executable.jar"
+ln -s "trino-cli-${PRODUCT}-executable.jar" trino-cli-executable.jar
 
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
+USER ${STACKABLE_USER_UID}
 ENTRYPOINT ["java", "-jar", "/stackable/trino-cli/trino-cli-executable.jar"]
diff --git a/trino/Dockerfile b/trino/Dockerfile
index b02b99895..97aeca2a0 100644
--- a/trino/Dockerfile
+++ b/trino/Dockerfile
@@ -4,6 +4,7 @@
 FROM stackable/image/java-devel AS storage-connector-builder
 
 ARG STORAGE_CONNECTOR
+ARG STACKABLE_USER_UID
 
 RUN <<EOF
 microdnf update
@@ -18,23 +19,28 @@ EOF
 
 WORKDIR /stackable
 
-COPY --chown=stackable:stackable trino/stackable/patches/apply_patches.sh /stackable/trino-storage-${STORAGE_CONNECTOR}-src/patches/apply_patches.sh
-COPY --chown=stackable:stackable trino/stackable/patches/trino-storage/${STORAGE_CONNECTOR} /stackable/trino-storage-${STORAGE_CONNECTOR}-src/patches/${STORAGE_CONNECTOR}
+COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/apply_patches.sh /stackable/trino-storage-${STORAGE_CONNECTOR}-src/patches/apply_patches.sh
+COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/trino-storage/${STORAGE_CONNECTOR} /stackable/trino-storage-${STORAGE_CONNECTOR}-src/patches/${STORAGE_CONNECTOR}
 
 RUN curl "https://repo.stackable.tech/repository/packages/trino-storage/trino-storage-${STORAGE_CONNECTOR}-src.tar.gz" | tar -xzC .
 # adding a hadolint ignore for SC2215, due to https://github.com/hadolint/hadolint/issues/980
 # hadolint ignore=SC2215
-RUN --mount=type=cache,target=/root/.m2/repository cd trino-storage-${STORAGE_CONNECTOR}-src && \
-    ./patches/apply_patches.sh ${STORAGE_CONNECTOR} && \
-    # Upstream builds are marked as -SNAPSHOT, even for release builds
-    mvn versions:set -DnewVersion=${STORAGE_CONNECTOR} && \
-    # We need to use ./mvnw instead of mvn to get a recent maven version (which is required to build Trino)
-    ./mvnw package -DskipTests -Dmaven.gitcommitid.skip=true
+RUN --mount=type=cache,id=maven-${STORAGE_CONNECTOR},target=/root/.m2/repository <<EOF
+cd trino-storage-${STORAGE_CONNECTOR}-src
+./patches/apply_patches.sh ${STORAGE_CONNECTOR}
+
+# Upstream builds are marked as -SNAPSHOT, even for release builds
+mvn versions:set -DnewVersion=${STORAGE_CONNECTOR}
+
+# We need to use ./mvnw instead of mvn to get a recent maven version (which is required to build Trino)
+./mvnw package -DskipTests -Dmaven.gitcommitid.skip=true
+EOF
 
 FROM stackable/image/java-devel AS builder
 
 ARG PRODUCT
 ARG STORAGE_CONNECTOR
+ARG STACKABLE_USER_UID
 
 RUN <<EOF
 microdnf update
@@ -51,35 +57,42 @@ WORKDIR /stackable
 
 RUN curl "https://repo.stackable.tech/repository/packages/trino-server/trino-server-${PRODUCT}-src.tar.gz" | tar -xzC .
 
-COPY --chown=stackable:stackable trino/stackable/patches/apply_patches.sh /stackable/trino-server-${PRODUCT}-src/patches/apply_patches.sh
-COPY --chown=stackable:stackable trino/stackable/patches/${PRODUCT} /stackable/trino-server-${PRODUCT}-src/patches/${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/apply_patches.sh /stackable/trino-server-${PRODUCT}-src/patches/apply_patches.sh
+COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/${PRODUCT} /stackable/trino-server-${PRODUCT}-src/patches/${PRODUCT}
 
 # adding a hadolint ignore for SC2215, due to https://github.com/hadolint/hadolint/issues/980
 # hadolint ignore=SC2215
-RUN --mount=type=cache,target=/root/.m2/repository cd "trino-server-${PRODUCT}-src" && \
-    ./patches/apply_patches.sh ${PRODUCT} && \
-    # Trino is using something (git-commit-id-plugin in the past, maybe something else now) that is
-    # reading the Git history and searches for a tag to pull the version from. It sounds weird to me
-    # why someone would do that over just picking the version from the pom.xml, but they propably
-    # have their reasons. See e.g. https://github.com/trinodb/trino/discussions/18963.
-    # So we fake it till we make it and create a Git repo and the correct tag. The trino-operator
-    # smoke test checks that "select version()" is working.
-    git init && \
-    git config user.email "fake.commiter@stackable.tech" && \
-    git config user.name "Fake commiter" && \
-    git commit --allow-empty --message "Fake commit, so that we can create a tag" && \
-    git tag ${PRODUCT} && \
-    # We need to use ./mvnw instead of mvn to get a recent maven version (which is required to build Trino)
-    ./mvnw package -DskipTests --projects="!docs,!core/trino-server-rpm" && \
-    # Delete the worst intermediate build products to free some space
-    rm -r /stackable/trino-server-${PRODUCT}-src/plugin/*/target /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT} && \
-    # Extract from tarball to save space; the tarball deduplicates jars (replacing them with symlinks),
-    # while the raw output folder does not
-    tar -xzf /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}.tar.gz -C /stackable && \
-    mv /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/bom.json /stackable/trino-server-${PRODUCT}/trino-server-${PRODUCT}.cdx.json && \
-    chown --recursive stackable /stackable/trino-server-${PRODUCT} && \
-    # Delete all intermediate build products to free some more space
-    rm -r /stackable/trino-server-${PRODUCT}-src
+RUN --mount=type=cache,id=maven-${PRODUCT},target=/root/.m2/repository <<EOF
+cd "trino-server-${PRODUCT}-src"
+./patches/apply_patches.sh ${PRODUCT}
+
+# Trino is using something (git-commit-id-plugin in the past, maybe something else now) that is
+# reading the Git history and searches for a tag to pull the version from. It sounds weird to me
+# why someone would do that over just picking the version from the pom.xml, but they propably
+# have their reasons. See e.g. https://github.com/trinodb/trino/discussions/18963.
+# So we fake it till we make it and create a Git repo and the correct tag. The trino-operator
+# smoke test checks that "select version()" is working.
+git init
+git config user.email "fake.commiter@stackable.tech"
+git config user.name "Fake commiter"
+git commit --allow-empty --message "Fake commit, so that we can create a tag"
+git tag ${PRODUCT}
+
+# We need to use ./mvnw instead of mvn to get a recent maven version (which is required to build Trino)
+./mvnw package -DskipTests --projects="!docs,!core/trino-server-rpm"
+
+# Delete the worst intermediate build products to free some space
+rm -r /stackable/trino-server-${PRODUCT}-src/plugin/*/target /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}
+
+# Extract from tarball to save space; the tarball deduplicates jars (replacing them with symlinks),
+# while the raw output folder does not
+tar -xzf /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}.tar.gz -C /stackable
+mv /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/bom.json /stackable/trino-server-${PRODUCT}/trino-server-${PRODUCT}.cdx.json
+chown --recursive ${STACKABLE_USER_UID}:0 /stackable/trino-server-${PRODUCT}
+
+# Delete all intermediate build products to free some more space
+rm -r /stackable/trino-server-${PRODUCT}-src
+EOF
 
 COPY --from=storage-connector-builder /stackable/trino-storage-${STORAGE_CONNECTOR}-src/target/trino-storage-${STORAGE_CONNECTOR} /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${STORAGE_CONNECTOR}
 
@@ -103,6 +116,7 @@ RUN /bin/log4shell_scanner s /stackable/trino-server-${PRODUCT}
 FROM stackable/image/java-devel AS jmx-exporter-builder
 
 ARG JMX_EXPORTER
+ARG STACKABLE_USER_UID
 
 RUN <<EOF
 microdnf update
@@ -117,21 +131,24 @@ EOF
 
 WORKDIR /stackable
 
-COPY --chown=stackable:stackable trino/stackable/patches/apply_patches.sh /stackable/jmx_prometheus-${JMX_EXPORTER}-src/patches/apply_patches.sh
-COPY --chown=stackable:stackable trino/stackable/patches/jmx-exporter/${JMX_EXPORTER} /stackable/jmx_prometheus-${JMX_EXPORTER}-src/patches/${JMX_EXPORTER}
+COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/apply_patches.sh /stackable/jmx_prometheus-${JMX_EXPORTER}-src/patches/apply_patches.sh
+COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable/patches/jmx-exporter/${JMX_EXPORTER} /stackable/jmx_prometheus-${JMX_EXPORTER}-src/patches/${JMX_EXPORTER}
 
 RUN curl "https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus-${JMX_EXPORTER}-src.tar.gz" | tar -xzC .
 # adding a hadolint ignore for SC2215, due to https://github.com/hadolint/hadolint/issues/980
 # hadolint ignore=SC2215
-RUN --mount=type=cache,target=/root/.m2/repository cd jmx_prometheus-${JMX_EXPORTER}-src && \
-    ./patches/apply_patches.sh ${JMX_EXPORTER} && \
-    mvn package
+RUN --mount=type=cache,id=maven-${JMX_EXPORTER},target=/root/.m2/repository <<EOF
+cd jmx_prometheus-${JMX_EXPORTER}-src
+./patches/apply_patches.sh ${JMX_EXPORTER}
+mvn package
+EOF
 
 FROM stackable/image/java-base
 
 ARG PRODUCT
 ARG JMX_EXPORTER
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Trino" \
       maintainer="info@stackable.tech" \
@@ -151,16 +168,31 @@ RUN microdnf update && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
-USER stackable
 WORKDIR /stackable
 
-COPY --chown=stackable:stackable trino/stackable /stackable
-COPY --chown=stackable:stackable trino/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 trino/stackable /stackable
+COPY --chown=${STACKABLE_USER_UID}:0 trino/licenses /licenses
 
 COPY --from=builder /stackable/trino-server-${PRODUCT} /stackable/trino-server-${PRODUCT}
 COPY --from=jmx-exporter-builder /stackable/jmx_prometheus-${JMX_EXPORTER}-src/jmx_prometheus_javaagent/target/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
-RUN ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server && \
-    ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
 
+RUN <<EOF
+ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server
+ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/trino-server
 CMD ["bin/launcher", "run", "--etc-dir=/stackable/conf"]
diff --git a/vector/Dockerfile b/vector/Dockerfile
index ad7ff0a27..e73571b64 100644
--- a/vector/Dockerfile
+++ b/vector/Dockerfile
@@ -7,6 +7,7 @@ ARG PRODUCT
 ARG RPM_RELEASE
 ARG INOTIFY_TOOLS
 ARG TARGETARCH
+ARG STACKABLE_USER_UID
 
 # Init Jobs/Pods often start a Vector Sidecar Container which collects the logs.
 # As soon as an Init Container is done it'll need to tell the Vector sidecar that it can now also stop
@@ -25,4 +26,4 @@ RUN ARCH="${TARGETARCH/amd64/x86_64}" ARCH="${ARCH/arm64/aarch64}" && \
     # Vector state, such as on-disk buffers, file checkpoints, and more.
     # Vector needs write permissions.
     mkdir --parents /stackable/vector/var && \
-    chown --recursive stackable:stackable /stackable/
+    chown --recursive ${STACKABLE_USER_UID}:0 /stackable/
diff --git a/zookeeper/Dockerfile b/zookeeper/Dockerfile
index 7bbe342be..1d9302927 100644
--- a/zookeeper/Dockerfile
+++ b/zookeeper/Dockerfile
@@ -8,11 +8,12 @@ FROM stackable/image/java-devel AS builder
 
 ARG PRODUCT
 ARG JMX_EXPORTER
+ARG STACKABLE_USER_UID
 
 # Copy patches and JMX config into the builder
-COPY --chown=stackable:stackable zookeeper/stackable /stackable
+COPY --chown=${STACKABLE_USER_UID}:0 zookeeper/stackable /stackable
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
 # Download ZooKeeper sources from our own repo
@@ -65,6 +66,7 @@ FROM stackable/image/java-base
 
 ARG PRODUCT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache ZooKeeper" \
       maintainer="info@stackable.tech" \
@@ -79,21 +81,35 @@ RUN microdnf update && \
     rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt && \
     rm -rf /var/cache/yum
 
-USER stackable
 WORKDIR /stackable
 
 # Copy over the ZooKeeper binary folder
-COPY --chown=stackable:stackable --from=builder /stackable/apache-zookeeper-${PRODUCT}-bin /stackable/apache-zookeeper-${PRODUCT}-bin/
-COPY --chown=stackable:stackable --from=builder /stackable/jmx /stackable/jmx/
+COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/apache-zookeeper-${PRODUCT}-bin /stackable/apache-zookeeper-${PRODUCT}-bin/
+COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/jmx /stackable/jmx/
 COPY zookeeper/licenses /licenses
 
 # Add link pointing from /stackable/zookeeper to /stackable/apache-zookeeper-${PRODUCT}-bin/
 # to preserve the folder name with the version.
-RUN ln -s /stackable/apache-zookeeper-${PRODUCT}-bin/ /stackable/zookeeper
+RUN <<EOF
+ln -s /stackable/apache-zookeeper-${PRODUCT}-bin/ /stackable/zookeeper
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
 
 ENV ZOOKEEPER_HOME=/stackable/zookeeper
 ENV PATH="${PATH}":/stackable/zookeeper/bin
 
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/zookeeper
 CMD ["bin/zkServer.sh", "start-foreground", "conf/zoo_sample.cfg"]