diff --git a/Dockerfile b/Dockerfile
index 1b2f816..c797f23 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,7 +27,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 COPY docker-entrypoint.sh /usr/local/bin/
 RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
-# Copy application
+# Copy application (as www-data for composer)
 USER www-data
 WORKDIR /var/www/html
 COPY --chown=www-data:www-data . .
@@ -35,6 +35,9 @@ COPY --chown=www-data:www-data . .
 # Install Composer dependencies (production)
 RUN composer install --no-dev --optimize-autoloader --no-interaction
 
+# Switch back to root for S6-overlay /init
+USER root
+
 # Kein eigener Health Check - Coolify/Traefik übernimmt das
 HEALTHCHECK NONE
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index c2c2278..f7c8841 100644
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -1,9 +1,12 @@
 #!/bin/bash
 # Erstellt .env aus Docker Environment Variables
+# Muss als root laufen (serversideup S6-overlay Requirement)
+
+set -e
 
 ENV_FILE="/var/www/html/.env"
 
-# Nur erstellen wenn nicht existiert
+# .env aus Environment Variables erstellen
 if [ ! -f "$ENV_FILE" ]; then
     cat > "$ENV_FILE" << EOF
 WP_ENV=${WP_ENV:-production}
@@ -24,8 +27,9 @@ LOGGED_IN_SALT=${LOGGED_IN_SALT}
 NONCE_SALT=${NONCE_SALT}
 EOF
     chown www-data:www-data "$ENV_FILE"
-    echo ".env created from environment variables"
+    chmod 600 "$ENV_FILE"
+    echo "[entrypoint] .env created from environment variables"
 fi
 
-# Original entrypoint ausführen
+# S6-overlay /init ausführen (als root!)
 exec "$@"