diff --git a/scripts/Dockerfile b/scripts/Dockerfile
index 9aad358f6..ed2894c2b 100644
--- a/scripts/Dockerfile
+++ b/scripts/Dockerfile
@@ -29,7 +29,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 FROM alpine:3.21 AS monolithic
 
 # Install runtime dependencies and create non-root user in single layer
-RUN apk add --no-cache tzdata ca-certificates && \
+RUN apk add --no-cache tzdata ca-certificates su-exec && \
     addgroup -g 10001 -S nonroot && \
     adduser -u 10001 -S -G nonroot -h /var/opt/memos nonroot && \
     mkdir -p /var/opt/memos /usr/local/memos && \
@@ -39,8 +39,8 @@ RUN apk add --no-cache tzdata ca-certificates && \
 COPY --from=backend /backend-build/memos /usr/local/memos/memos
 COPY --from=backend --chmod=755 /backend-build/scripts/entrypoint.sh /usr/local/memos/entrypoint.sh
 
-# Switch to non-root user
-USER nonroot:nonroot
+# Run as root to fix permissions, entrypoint will drop to nonroot
+USER root
 
 # Set working directory to the writable volume
 WORKDIR /var/opt/memos
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
index ec62af83d..710469df9 100755
--- a/scripts/entrypoint.sh
+++ b/scripts/entrypoint.sh
@@ -1,5 +1,19 @@
 #!/usr/bin/env sh
 
+# Fix ownership of data directory for users upgrading from older versions
+# where files were created as root
+MEMOS_UID=${MEMOS_UID:-10001}
+MEMOS_GID=${MEMOS_GID:-10001}
+DATA_DIR="/var/opt/memos"
+
+if [ "$(id -u)" = "0" ]; then
+    # Running as root, fix permissions and drop to nonroot
+    if [ -d "$DATA_DIR" ]; then
+        chown -R "$MEMOS_UID:$MEMOS_GID" "$DATA_DIR" 2>/dev/null || true
+    fi
+    exec su-exec "$MEMOS_UID:$MEMOS_GID" "$0" "$@"
+fi
+
 file_env() {
    var="$1"
    fileVar="${var}_FILE"