diff --git a/assets/pam.d/kiosk b/assets/pam.d/kiosk
index 535cf6cee672e1ca6a0b9cc045eca93ab931ab63..995e2aafbdd4d2f1b6df72f11a00909dda830ff9 100644
--- a/assets/pam.d/kiosk
+++ b/assets/pam.d/kiosk
@@ -1,4 +1,7 @@
 auth           required        pam_unix.so nullok
+
 account        required        pam_unix.so
+
 session        required        pam_unix.so
+session        required        pam_loginuid.so
 session        required        pam_systemd.so class=user type=wayland
diff --git a/assets/systemd/system/de.h-da.fbi.kiosk.service b/assets/systemd/system/de.h-da.fbi.kiosk.service
index bf6c20b9f917852b2095b1b1ad15a55f706725aa..24b12ad92af6f411b0b336c4bac6ec035817c215 100644
--- a/assets/systemd/system/de.h-da.fbi.kiosk.service
+++ b/assets/systemd/system/de.h-da.fbi.kiosk.service
@@ -24,20 +24,8 @@ PAMName=kiosk
 
 User=kiosk
 Group=kiosk
-RemoveIPC=yes
-PrivateTmp=yes
 NoNewPrivileges=yes
 RestrictSUIDSGID=yes
-ProtectSystem=strict
-ProtectHome=no
-
-RuntimeDirectory=kiosk
-StateDirectory=kiosk
-CacheDirectory=kiosk
-LogsDirectory=kisok
-ConfigurationDirectory=kiosk
-TemporaryFileSystem=/tmp/.X11-unix/:mode=1777
-TemporaryFileSystem=/run/kiosk/home/:mode=0700
 
 [Install]
 Alias=display-manager.service
diff --git a/assets/tmpfiles.d/kiosk.conf b/assets/tmpfiles.d/kiosk.conf
new file mode 100644
index 0000000000000000000000000000000000000000..58952df2e3b51cce4341356b137830ba5b6d95a1
--- /dev/null
+++ b/assets/tmpfiles.d/kiosk.conf
@@ -0,0 +1,2 @@
+#Type | Path       | Mode | User  | Group | Age | Argument...
+d       /run/kiosk   0700   kiosk   kiosk   0     -
diff --git a/bootc/Containerfile b/bootc/Containerfile
index 26aed9f833fbd85df8d67aeaa6b5ed96dcee3952..e280ede9878d05e24e75de5f08c43da0f10f8f48 100644
--- a/bootc/Containerfile
+++ b/bootc/Containerfile
@@ -67,6 +67,8 @@ COPY --chmod=0644 assets/pam.d/kiosk /usr/lib/pam.d/kiosk
 
 COPY --chmod=0644 assets/sysusers.d/kiosk.conf /usr/lib/sysusers.d/kiosk.conf
 
+COPY --chmod=0644 assets/tmpfiles.d/kiosk.conf /usr/lib/tmpfiles.d/kiosk.conf
+
 COPY --chmod=0644 \
  assets/plymouth/h-da/h-da.plymouth \
  assets/plymouth/h-da/h-da.script \
diff --git a/crates/compositor/src/main.rs b/crates/compositor/src/main.rs
index b930deccfedc83687da1d6f0107838b03a64e1a3..4115a9f3c0118f6a93550fa587238cfb6c1c5ab0 100644
--- a/crates/compositor/src/main.rs
+++ b/crates/compositor/src/main.rs
@@ -1,3 +1,6 @@
+use std::env::home_dir;
+use std::fs::{create_dir, OpenOptions};
+use std::io::ErrorKind;
 use calloop::signals::Signal::{SIGINT, SIGQUIT, SIGTERM};
 use calloop::signals::Signals;
 use clap::{Args, Parser};
@@ -53,6 +56,18 @@ struct Cli {
 }
 
 fn main() {
+    let home_dir_path = home_dir().expect("Home directory unknown"); 
+    if let Err(error) = create_dir(&home_dir_path) {
+        if error.kind() != ErrorKind::AlreadyExists {
+            Err::<(),_>(error).expect("Could not create home directory");
+        }
+    }
+    let home_dir = OpenOptions::new()
+        .read(true)
+        .open(home_dir_path)
+        .expect("Home directory not found");
+    home_dir.lock().expect("Failed to lock home directory");
+
     // Initialize the signals at the very beginning so that every thread will inherit the same
     // signal mask.
     let signal_source = Signals::new(&[SIGINT, SIGTERM, SIGQUIT]).expect("Failed to create signal source.");
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
index 292fe499e3b25d42211661ba9c7fafe6120186ca..0a3954669fd83f6265f829ad74e983959b74c8d7 100644
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,2 +1,3 @@
 [toolchain]
-channel = "stable"
+# TODO: Change to stable as soon as 1.87.0 has been released.
+channel = "nightly"