diff --git a/libcontainer/nsinit/init.go b/libcontainer/nsinit/init.go
index cdedc14..23303cd 100644
--- a/libcontainer/nsinit/init.go
+++ b/libcontainer/nsinit/init.go
@@ -8,6 +8,7 @@ import (
 	"github.com/dotcloud/docker/pkg/libcontainer/capabilities"
 	"github.com/dotcloud/docker/pkg/libcontainer/network"
 	"github.com/dotcloud/docker/pkg/system"
+	"github.com/dotcloud/docker/pkg/user"
 	"log"
 	"os"
 	"os/exec"
@@ -110,15 +111,30 @@ func resolveRootfs(uncleanRootfs string) (string, error) {
 }
 
 func setupUser(container *libcontainer.Container) error {
-	// TODO: honor user passed on container
-	if err := system.Setgroups(nil); err != nil {
-		return err
-	}
-	if err := system.Setresgid(0, 0, 0); err != nil {
-		return err
-	}
-	if err := system.Setresuid(0, 0, 0); err != nil {
-		return err
+	if container.User != "" {
+		uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
+		if err != nil {
+			return err
+		}
+		if err := system.Setgroups(suppGids); err != nil {
+			return err
+		}
+		if err := system.Setgid(gid); err != nil {
+			return err
+		}
+		if err := system.Setuid(uid); err != nil {
+			return err
+		}
+	} else {
+		if err := system.Setgroups(nil); err != nil {
+			return err
+		}
+		if err := system.Setresgid(0, 0, 0); err != nil {
+			return err
+		}
+		if err := system.Setresuid(0, 0, 0); err != nil {
+			return err
+		}
 	}
 	return nil
 }
diff --git a/system/calls_linux.go b/system/calls_linux.go
index 42afa34..0bf42e3 100644
--- a/system/calls_linux.go
+++ b/system/calls_linux.go
@@ -71,6 +71,14 @@ func Setresuid(ruid, euid, suid int) error {
 	return syscall.Setresuid(ruid, euid, suid)
 }
 
+func Setgid(gid int) error {
+	return syscall.Setgid(gid)
+}
+
+func Setuid(uid int) error {
+	return syscall.Setuid(uid)
+}
+
 func Sethostname(name string) error {
 	return syscall.Sethostname([]byte(name))
 }