diff --git a/assets/pam.d/kiosk b/assets/pam.d/kiosk
index 535cf6cee672e1ca6a0b9cc045eca93ab931ab63..995e2aafbdd4d2f1b6df72f11a00909dda830ff9 100644
--- a/assets/pam.d/kiosk
+++ b/assets/pam.d/kiosk
@@ -1,4 +1,7 @@
 auth           required        pam_unix.so nullok
+
 account        required        pam_unix.so
+
 session        required        pam_unix.so
+session        required        pam_loginuid.so
 session        required        pam_systemd.so class=user type=wayland
diff --git a/assets/systemd/system/de.h-da.fbi.kiosk.service b/assets/systemd/system/de.h-da.fbi.kiosk.service
index bf6c20b9f917852b2095b1b1ad15a55f706725aa..24b12ad92af6f411b0b336c4bac6ec035817c215 100644
--- a/assets/systemd/system/de.h-da.fbi.kiosk.service
+++ b/assets/systemd/system/de.h-da.fbi.kiosk.service
@@ -24,20 +24,8 @@ PAMName=kiosk
 
 User=kiosk
 Group=kiosk
-RemoveIPC=yes
-PrivateTmp=yes
 NoNewPrivileges=yes
 RestrictSUIDSGID=yes
-ProtectSystem=strict
-ProtectHome=no
-
-RuntimeDirectory=kiosk
-StateDirectory=kiosk
-CacheDirectory=kiosk
-LogsDirectory=kisok
-ConfigurationDirectory=kiosk
-TemporaryFileSystem=/tmp/.X11-unix/:mode=1777
-TemporaryFileSystem=/run/kiosk/home/:mode=0700
 
 [Install]
 Alias=display-manager.service
diff --git a/assets/tmpfiles.d/kiosk.conf b/assets/tmpfiles.d/kiosk.conf
new file mode 100644
index 0000000000000000000000000000000000000000..58952df2e3b51cce4341356b137830ba5b6d95a1
--- /dev/null
+++ b/assets/tmpfiles.d/kiosk.conf
@@ -0,0 +1,2 @@
+#Type | Path       | Mode | User  | Group | Age | Argument...
+d       /run/kiosk   0700   kiosk   kiosk   0     -
diff --git a/bootc/Containerfile b/bootc/Containerfile
index 252ac274dba957276a923f5ebd1d964165ffbf9f..fa7f3553658f4ac6aa5b80eb92d0ebcfb784f900 100644
--- a/bootc/Containerfile
+++ b/bootc/Containerfile
@@ -3,28 +3,34 @@ ARG FEDORA_VERSION=42
 FROM quay.io/fedora/fedora-minimal:$FEDORA_VERSION AS compositor_builder
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
-RUN dnf install -y rust cargo \
-      'pkgconfig(wayland-server)' 'pkgconfig(xkbcommon)' 'pkgconfig(libudev)' 'pkgconfig(libinput)' 'pkgconfig(gbm)' 'pkgconfig(libseat)' 'pkgconfig(glib-2.0)' 'pkgconfig(libdisplay-info)'
+RUN dnf install -y gcc \
+    'pkgconfig(wayland-server)' 'pkgconfig(xkbcommon)' 'pkgconfig(libudev)' 'pkgconfig(libinput)' 'pkgconfig(gbm)' 'pkgconfig(libseat)' 'pkgconfig(glib-2.0)' 'pkgconfig(libdisplay-info)'
 
 WORKDIR /opt/build
 
 COPY crates/ /opt/build/crates/
-COPY Cargo.lock Cargo.toml /opt/build/
+COPY Cargo.lock Cargo.toml rust-toolchain.toml /opt/build/
 
-RUN cargo build --release --package kiosk-compositor --bin kiosk-compositor
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --default-toolchain none -y >/dev/null \
+    && export PATH="$HOME/.cargo/bin:$PATH" \
+    && rustup toolchain install \
+    && cargo build --release --package kiosk-compositor --bin kiosk-compositor
 
 FROM quay.io/fedora/fedora-minimal:$FEDORA_VERSION AS launcher_builder
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
-RUN dnf install -y rust cargo blueprint-compiler clang \
+RUN dnf install -y blueprint-compiler clang \
       'pkgconfig(gtk4)' 'pkgconfig(libadwaita-1)' 'pkgconfig(libpipewire-0.3)' 'pkgconfig(gtk4-layer-shell-0)' 'pkgconfig(openssl)' 'pkgconfig(webkitgtk-6.0)'
 
 WORKDIR /opt/build
 
 COPY crates/ /opt/build/crates/
-COPY Cargo.lock Cargo.toml /opt/build/
+COPY Cargo.lock Cargo.toml rust-toolchain.toml /opt/build/
 
-RUN cargo build --release --package kiosk-launcher --bin kiosk-launcher
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --default-toolchain none -y >/dev/null \
+    && export PATH="$HOME/.cargo/bin:$PATH" \
+    && rustup toolchain install \
+    && cargo build --release --package kiosk-launcher --bin kiosk-launcher
 
 FROM quay.io/fedora/fedora-bootc:$FEDORA_VERSION
 
@@ -59,6 +65,8 @@ COPY --chmod=0644 assets/pam.d/kiosk /usr/lib/pam.d/kiosk
 
 COPY --chmod=0644 assets/sysusers.d/kiosk.conf /usr/lib/sysusers.d/kiosk.conf
 
+COPY --chmod=0644 assets/tmpfiles.d/kiosk.conf /usr/lib/tmpfiles.d/kiosk.conf
+
 COPY --chmod=0644 \
  assets/plymouth/h-da/h-da.plymouth \
  assets/plymouth/h-da/h-da.script \
diff --git a/crates/compositor/src/main.rs b/crates/compositor/src/main.rs
index b930deccfedc83687da1d6f0107838b03a64e1a3..4115a9f3c0118f6a93550fa587238cfb6c1c5ab0 100644
--- a/crates/compositor/src/main.rs
+++ b/crates/compositor/src/main.rs
@@ -1,3 +1,6 @@
+use std::env::home_dir;
+use std::fs::{create_dir, OpenOptions};
+use std::io::ErrorKind;
 use calloop::signals::Signal::{SIGINT, SIGQUIT, SIGTERM};
 use calloop::signals::Signals;
 use clap::{Args, Parser};
@@ -53,6 +56,18 @@ struct Cli {
 }
 
 fn main() {
+    let home_dir_path = home_dir().expect("Home directory unknown"); 
+    if let Err(error) = create_dir(&home_dir_path) {
+        if error.kind() != ErrorKind::AlreadyExists {
+            Err::<(),_>(error).expect("Could not create home directory");
+        }
+    }
+    let home_dir = OpenOptions::new()
+        .read(true)
+        .open(home_dir_path)
+        .expect("Home directory not found");
+    home_dir.lock().expect("Failed to lock home directory");
+
     // Initialize the signals at the very beginning so that every thread will inherit the same
     // signal mask.
     let signal_source = Signals::new(&[SIGINT, SIGTERM, SIGQUIT]).expect("Failed to create signal source.");
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
new file mode 100644
index 0000000000000000000000000000000000000000..0a3954669fd83f6265f829ad74e983959b74c8d7
--- /dev/null
+++ b/rust-toolchain.toml
@@ -0,0 +1,3 @@
+[toolchain]
+# TODO: Change to stable as soon as 1.87.0 has been released.
+channel = "nightly"