diff --git a/docs/reference/options.md b/docs/reference/options.md
index 8589dcbf7..97c04cc36 100644
--- a/docs/reference/options.md
+++ b/docs/reference/options.md
@@ -163,6 +163,21 @@ boolean
 
 
 
+## containers.\<name>.maxLayers
+
+The maximum number of layers created when the container is created.
+
+*Type:*
+int
+
+*Default:*
+` 1 `
+
+*Declared by:*
+ - [https://github.com/cachix/devenv/blob/main/src/modules/containers.nix](https://github.com/cachix/devenv/blob/main/src/modules/containers.nix)
+
+
+
 ## containers.\<name>.name
 
 Name of the container.
diff --git a/src/modules/containers.nix b/src/modules/containers.nix
index d7a8a51f0..b98bd42c5 100644
--- a/src/modules/containers.nix
+++ b/src/modules/containers.nix
@@ -21,8 +21,9 @@ let
     attribute = "containers";
   };
   shell = mk-shell-bin.lib.mkShellBin { drv = config.shell; nixpkgs = pkgs; };
+  bash = "${pkgs.bashInteractive}/bin/bash";
   mkEntrypoint = cfg: pkgs.writeScript "entrypoint" ''
-    #!${pkgs.bash}/bin/bash
+    #!${bash}
 
     export PATH=/bin
 
@@ -31,31 +32,119 @@ let
     # expand any envvars before exec
     cmd="`echo "$@"|${pkgs.envsubst}/bin/envsubst`"
 
-    ${pkgs.bash}/bin/bash -c "$cmd"
+    ${bash} -c "$cmd"
   '';
+  user = "user";
+  group = "user";
+  uid = "1000";
+  gid = "1000";
+  homeDir = "/env";
+
+  mkHome = path: (pkgs.runCommand "devenv-container-home" { } ''
+    mkdir -p $out${homeDir}
+    cp -R ${path}/* $out${homeDir}/
+  '');
+
+  mkMultiHome = paths: map mkHome paths;
+
+  homeRoots = cfg: (
+    if (builtins.typeOf cfg.copyToRoot == "list")
+    then cfg.copyToRoot
+    else [ cfg.copyToRoot ]
+  );
+
+  mkTmp = (pkgs.runCommand "devenv-container-tmp" { } ''
+    mkdir -p $out/tmp
+  '');
+
+  mkEtc = (pkgs.runCommand "devenv-container-etc" { } ''
+    mkdir -p $out/etc/pam.d
+
+    echo "root:x:0:0:System administrator:/root:${bash}" > \
+          $out/etc/passwd
+    echo "${user}:x:${uid}:${gid}::${homeDir}:${bash}" >> \
+          $out/etc/passwd
+
+    echo "root:!x:::::::" > $out/etc/shadow
+    echo "${user}:!x:::::::" >> $out/etc/shadow
+
+    echo "root:x:0:" > $out/etc/group
+    echo "${group}:x:${gid}:" >> $out/etc/group
+
+    cat > $out/etc/pam.d/other <<EOF
+    account sufficient pam_unix.so
+    auth sufficient pam_rootok.so
+    password requisite pam_unix.so nullok sha512
+    session required pam_unix.so
+    EOF
+
+    touch $out/etc/login.defs
+  '');
+
+  mkPerm = derivation:
+    {
+      path = derivation;
+      mode = "0744";
+      uid = lib.toInt uid;
+      gid = lib.toInt gid;
+      uname = user;
+      gname = group;
+    };
+
+
   mkDerivation = cfg: nix2container.nix2container.buildImage {
     name = cfg.name;
     tag = cfg.version;
+    initializeNixDatabase = true;
+    nixUid = lib.toInt uid;
+    nixGid = lib.toInt gid;
+
     copyToRoot = [
-      (pkgs.runCommand "create-paths" { } ''
-        mkdir -p $out/tmp
-      '')
       (pkgs.buildEnv {
-        name = "root";
+        name = "devenv-container-root";
         paths = [
           pkgs.coreutils-full
-          pkgs.bash
-        ] ++ lib.optionals (cfg.copyToRoot != null)
-          (if builtins.typeOf cfg.copyToRoot == "list"
-          then cfg.copyToRoot
-          else [ cfg.copyToRoot ]);
-        pathsToLink = "/";
+          pkgs.bashInteractive
+          pkgs.su
+          pkgs.sudo
+        ];
+        pathsToLink = "/bin";
       })
+      mkEtc
+      mkTmp
     ];
+
+    maxLayers = cfg.maxLayers;
+
+    layers = [
+      (nix2container.nix2container.buildLayer {
+        perms = map mkPerm (mkMultiHome (homeRoots cfg));
+        copyToRoot = mkMultiHome (homeRoots cfg);
+      })
+    ];
+
+    perms = [
+      {
+        path = mkTmp;
+        regex = "/tmp";
+        mode = "1777";
+        uid = 0;
+        gid = 0;
+        uname = "root";
+        gname = "root";
+      }
+    ];
+
     config = {
-      Env = lib.mapAttrsToList (name: value: "${name}=${lib.escapeShellArg (toString value)}") config.env;
-      Cmd = [ cfg.startupCommand ];
       Entrypoint = cfg.entrypoint;
+      User = "${user}";
+      WorkingDir = "${homeDir}";
+      Env = lib.mapAttrsToList
+        (name: value:
+          "${name}=${lib.escapeShellArg (toString value)}"
+        )
+        config.env ++ [ "HOME=${homeDir}" "USER=${user}" ];
+      Cmd = [ cfg.startupCommand ];
     };
   };
 
@@ -136,6 +225,12 @@ let
         default = "docker://";
       };
 
+      maxLayers = lib.mkOption {
+        type = types.nullOr types.int;
+        description = "Maximum number of container layers created.";
+        default = 1;
+      };
+
       isBuilding = lib.mkOption {
         type = types.bool;
         default = false;
@@ -158,7 +253,7 @@ let
         type = types.package;
         internal = true;
         default = pkgs.writeScript "docker-run" ''
-          #!${pkgs.bash}/bin/bash
+          #!${bash}
 
           docker run -it ${config.name}:${config.version} "$@"
         '';
@@ -189,7 +284,7 @@ in
 
       containers.shell = {
         name = lib.mkDefault "shell";
-        startupCommand = lib.mkDefault "bash";
+        startupCommand = lib.mkDefault bash;
       };
 
       containers.processes = {
@@ -201,7 +296,7 @@ in
       containers.${envContainerName}.isBuilding = true;
     })
     (lib.mkIf config.container.isBuilding {
-      devenv.root = lib.mkForce "/";
+      devenv.root = lib.mkForce "${homeDir}";
     })
   ];
 }
diff --git a/src/modules/languages/python.nix b/src/modules/languages/python.nix
index 65aaf2252..fccd57049 100644
--- a/src/modules/languages/python.nix
+++ b/src/modules/languages/python.nix
@@ -7,7 +7,7 @@ let
     ++ (lib.optional cfg.manylinux.enable pkgs.pythonManylinuxPackages.manylinux2014Package)
     # see https://matrix.to/#/!kjdutkOsheZdjqYmqp:nixos.org/$XJ5CO4bKMevYzZq_rrNo64YycknVFJIJTy6hVCJjRlA?via=nixos.org&via=matrix.org&via=nixos.dev
     ++ [ pkgs.stdenv.cc.cc.lib ]
-    );
+  );
 
   readlink = "${pkgs.coreutils}/bin/readlink -f ";
   package = pkgs.callPackage "${pkgs.path}/pkgs/development/interpreters/python/wrapper.nix" {