diff --git a/oci/spec_opts.go b/oci/spec_opts.go
index d7fe4a29f..50c77396d 100644
--- a/oci/spec_opts.go
+++ b/oci/spec_opts.go
@@ -315,8 +315,14 @@ func WithImageConfigArgs(image Image, args []string) SpecOpts {
 			}
 			s.Process.Cwd = cwd
 			if config.User != "" {
-				return WithUser(config.User)(ctx, client, c, s)
+				if err := WithUser(config.User)(ctx, client, c, s); err != nil {
+					return err
+				}
+				return WithAdditionalGIDs(fmt.Sprintf("%d", s.Process.User.UID))(ctx, client, c, s)
 			}
+			// we should query the image's /etc/group for additional GIDs
+			// even if there is no specified user in the image config
+			return WithAdditionalGIDs("root")(ctx, client, c, s)
 		} else if s.Windows != nil {
 			s.Process.Env = config.Env
 			s.Process.Args = append(config.Entrypoint, config.Cmd...)