diff --git a/vanilla_first_setup/utils/processor.py b/vanilla_first_setup/utils/processor.py
index 5a51b12e..88ff8bae 100644
--- a/vanilla_first_setup/utils/processor.py
+++ b/vanilla_first_setup/utils/processor.py
@@ -129,6 +129,9 @@ def get_setup_commands(log_path, pre_run, post_run, commands):
 
                 f.write(f"{command}\n")
 
+            # prevent privilege escalation
+            f.write(f"chown root:root {commands_script_path}\n")
+
             # run the outRun commands
             if out_run:
                 f.write("if [ $? -eq 0 ]; then")