diff --git a/.gitignore b/.gitignore
index a6a061e..1473acd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,7 +3,7 @@
 /.push-*
 /.container-*
 /.dockerfile-*
-/.licenses
+/.licenses*
 /.buildx-initialized
 
 # Emacs save files
diff --git a/Dockerfile.in b/Dockerfile.in
index c66e884..b101cbd 100644
--- a/Dockerfile.in
+++ b/Dockerfile.in
@@ -32,8 +32,8 @@ ARG HASH_BINARY=0
 # Add the platform-specific binary.
 COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
 
-# This would be nicer as `nobody:nobody` but distroless has no such entries.
-USER 65535:65535
+# This container has to run as root for iptables. Be explicit here.
+USER 0:0
 ENV HOME /
 
 ENTRYPOINT ["/{ARG_BIN}"]