diff --git a/README.md b/README.md
index af5323de..0a54619e 100644
--- a/README.md
+++ b/README.md
@@ -48,6 +48,7 @@ To explore more examples, tips, and advanced usage, check out the following guid
 - [Git Authentication](./docs/git-auth.md)
 - [Caching](./docs/caching.md)
 - [Custom Certificates](./docs/custom-certificates.md)
+- [Users](./docs/users.md)
 
 ## Setup Script
 
diff --git a/docs/users.md b/docs/users.md
new file mode 100644
index 00000000..6f121cdf
--- /dev/null
+++ b/docs/users.md
@@ -0,0 +1,9 @@
+# Root Privileges
+
+Envbuilder always expects to be run as `root` in its container, as building an image will most likely require root privileges. Once the image is built, Envbuilder will drop root privileges and `exec` `ENVBUILDER_INIT_COMMAND` / `ENVBUILDER_INIT_SCRIPT` as a non-root user.
+
+## Choosing a target user
+
+Envbuilder will first attempt to switch to the `containerUser` defined `devcontainer.json`.
+If this is not specified, it will look up the last `USER` directive from the specified `Dockerfile` or image.
+If no alternative user is specified, Envbuilder will fallback to `root`.