diff --git a/build-workspace.sh b/build-workspace.sh
index 90e88d4..ea30390 100755
--- a/build-workspace.sh
+++ b/build-workspace.sh
@@ -17,8 +17,7 @@ buildah run "$ctr" -- bash -c "\
   useradd -ms /bin/zsh $DEV_USER && \
   useradd --system --no-create-home --shell /usr/sbin/nologin viewer && \
   usermod -aG $DEV_USER viewer && mkdir -p /tmp/tmux-shared && \
-  chmod 750 /tmp/tmux-shared && \
-  mkdir -p $DEV_HOME/.gnupg && chmod 700 $DEV_HOME/.gnupg
+  mkdir -p $DEV_HOME/.gnupg
 "
 # copy start script
 buildah copy "$ctr" start.sh /start.sh
@@ -34,9 +33,13 @@ buildah copy "$ctr" local $DEV_HOME/.local
 # zsh and tmux config (immutable)
 buildah run "$ctr" -- bash -c "
   find $DEV_HOME -type f -exec chmod 400 {} + && \
-  find $DEV_HOME -type d -exec chmod 500 {} + && \
-  chmod -R 500 $SECURE && \
-  chmod +x /start.sh
+  find $DEV_HOME -type f -exec chattr +i {} + && \
+  find $DEV_HOME -type d -exec chmod 700 {} + && \
+  chmod 750 /tmp/tmux-shared && chmod -R 500 $SECURE && \
+  chmod +x /start.sh && \
+  chown -R $DEV_USER:$DEV_USER $DEV_HOME && \
+  chattr -R +x $DEV_HOME && chattr +x /tmp/tmux-shared && \
+  chown -R $DEV_USER:$DEV_USER /tmp/tmux-shared
 "
 
 buildah config \