diff --git a/Dockerfile b/Dockerfile
index 5620d49cd..892f92e4b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -175,12 +175,15 @@ RUN chmod +x /home/steam/server/*.sh && \
     ln -sf /home/steam/server/autopause.sh /usr/local/bin/autopause && \
     ln -sf /home/steam/server/autopaused-ctl.sh /usr/local/sbin/autopaused-ctl
 
-# install mitmproxy addons & certs
+# install mitmproxy addons
 RUN mkdir -p /home/steam/autopause/addons && \
     mv /home/steam/server/PalIntercept.py ../autopause/addons/ && \
-    chown -R steam:steam /home/steam/autopause && \
-    ln -sf /home/steam/.mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy.crt && \
-    mv /home/steam/server/files/sudoers-steam /etc/sudoers.d/
+    chown -R steam:steam /home/steam/autopause
+
+# Preparation to incorporate ca-cert generated at runtime by mitmproxy.
+RUN ln -sf /home/steam/.mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy.crt && \
+    mv /home/steam/server/files/sudoers-steam /etc/sudoers.d/steam && \
+    chmod 0440 /etc/sudoers.d/steam
 
 WORKDIR /home/steam/server
 
diff --git a/scripts/files/sudoers-steam b/scripts/files/sudoers-steam
new file mode 100644
index 000000000..bc5fb336f
--- /dev/null
+++ b/scripts/files/sudoers-steam
@@ -0,0 +1 @@
+steam ALL=(ALL:ALL) NOPASSWD: /usr/sbin/update-ca-certificates