diff --git a/Dockerfile b/Dockerfile
index 35ecd4f20..2b00c2281 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,7 +24,13 @@ COPY --from=builder /output/ /output
 RUN /output/install-from-bindep
 
 ### Containers should NOT run as root as a good practice
-RUN chmod g=u /etc/passwd
+
+# although this feels odd ... by default has group "shadow", meaning
+# uid_entrypoint can't update it.  This is necessary for things like
+# sudo to work.
+RUN chown root:root /etc/shadow
+
+RUN chmod g=u /etc/passwd /etc/shadow
 ENV APP_ROOT=/var/lib/nodepool
 ENV HOME=${APP_ROOT}
 ENV USER_NAME=nodepool
diff --git a/tools/uid_entrypoint.sh b/tools/uid_entrypoint.sh
index 3c8d78cf8..b1b21aaf4 100755
--- a/tools/uid_entrypoint.sh
+++ b/tools/uid_entrypoint.sh
@@ -16,7 +16,8 @@
 
 if ! whoami 2>&1 >/dev/null; then
   if [ -w /etc/passwd ]; then
-    echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+     echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+     echo "${USER_NAME:-default}:!:18211:0:99999:7:::" >> /etc/shadow
   fi
 fi
 exec dumb-init "$@"