diff --git a/tools/packaging/static-build/coco-guest-components/Dockerfile b/tools/packaging/static-build/coco-guest-components/Dockerfile
index 4d533428d9..d5fcedb059 100644
--- a/tools/packaging/static-build/coco-guest-components/Dockerfile
+++ b/tools/packaging/static-build/coco-guest-components/Dockerfile
@@ -8,8 +8,15 @@ ARG RUST_TOOLCHAIN
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+ENV RUSTUP_HOME="/opt/rustup"
+ENV CARGO_HOME="/opt/cargo"
+ENV PATH="/opt/cargo/bin/:${PATH}"
+
 # Note - the TDX lib is only available on x86, so there is an arch check in the package install
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN mkdir ${RUSTUP_HOME} ${CARGO_HOME} && chmod -R a+rwX ${RUSTUP_HOME} ${CARGO_HOME}
+
 RUN apt-get update && \
 	apt-get --no-install-recommends install -y \
 	ca-certificates \
@@ -36,5 +43,18 @@ RUN apt-get update && \
 	apt-get clean && rm -rf /var/lib/apt/lists/ && \
 	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}
 
+ENV LIBC="gnu"
+RUN ARCH=$(uname -m); \
+	rust_arch=""; \
+    	case "${ARCH}" in \
+	        "aarch64") rust_arch="${ARCH}" ;; \
+	        "ppc64le") rust_arch="powerpc64le" ;; \
+	        "x86_64") rust_arch="${ARCH}" ;; \
+	        "s390x") rust_arch="${ARCH}" ;; \
+	        *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \
+    	esac; \
+    	echo "RUST_ARCH=${rust_arch}" > /etc/profile.d/rust.sh; \
+	rustup target add "${rust_arch}-unknown-linux-${LIBC}"
+
 # aarch64 requires this name -- link for all
 RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"
diff --git a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
index db3bcd4aa6..c1b1f5f65b 100755
--- a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
+++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
@@ -17,45 +17,21 @@ source "${script_dir}/../../scripts/lib.sh"
 
 [ -d "guest-components" ] && rm -rf  guest-components
 
-init_env() {
-	source "$HOME/.cargo/env"
-
-	export LIBC=gnu
-
-	ARCH=$(uname -m)
-	rust_arch=""
-	case ${ARCH} in
-		"aarch64")
-			rust_arch=${ARCH}
-			;;
-		"ppc64le")
-			rust_arch="powerpc64le"
-			;;
-		"x86_64")
-			rust_arch=${ARCH}
-			;;
-		"s390x")
-			rust_arch=${ARCH}
-			;;
-	esac
-	rustup target add ${rust_arch}-unknown-linux-${LIBC}
-}
-
 build_coco_guest_components_from_source() {
 	echo "build coco-guest-components from source"
 
-	init_env
+	. /etc/profile.d/rust.sh
 
-	git clone --depth 1 ${coco_guest_components_repo} guest-components
+	git clone --depth 1 "${coco_guest_components_repo}" guest-components
 	pushd guest-components
 
 	git fetch --depth=1 origin "${coco_guest_components_version}"
 	git checkout FETCH_HEAD
 
 	DESTDIR="${DESTDIR}/usr/local/bin" TEE_PLATFORM=${TEE_PLATFORM} make build
-	strip target/${rust_arch}-unknown-linux-${LIBC}/release/confidential-data-hub
-	strip target/${rust_arch}-unknown-linux-${LIBC}/release/attestation-agent
-	strip target/${rust_arch}-unknown-linux-${LIBC}/release/api-server-rest
+	strip "target/${RUST_ARCH}-unknown-linux-${LIBC}/release/confidential-data-hub"
+	strip "target/${RUST_ARCH}-unknown-linux-${LIBC}/release/attestation-agent"
+	strip "target/${RUST_ARCH}-unknown-linux-${LIBC}/release/api-server-rest"
 	DESTDIR="${DESTDIR}/usr/local/bin" TEE_PLATFORM=${TEE_PLATFORM} make install
 	popd
 }
diff --git a/tools/packaging/static-build/coco-guest-components/build.sh b/tools/packaging/static-build/coco-guest-components/build.sh
index 96171f0808..03dcd3bde1 100755
--- a/tools/packaging/static-build/coco-guest-components/build.sh
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@@ -31,8 +31,8 @@ package_output_dir="${package_output_dir:-}"
 container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_components_image_name)}"
 [ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build"
 
-sudo docker pull ${container_image} || \
-	(sudo docker $BUILDX build $PLATFORM \
+docker pull ${container_image} || \
+	(docker $BUILDX build $PLATFORM \
 	    	--build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \
 		-t "${container_image}" "${script_dir}" && \
 	 # No-op unless PUSH_TO_REGISTRY is exported as "yes"
@@ -45,7 +45,7 @@ ATTESTER="none"
 # snp-attester and tdx-attester crates require packages only available on x86
 [ "$(uname -m)" == "x86_64" ] && ATTESTER="snp-attester,tdx-attester"
 
-sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
+docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${PWD}" \
 	--env DESTDIR="${DESTDIR}" \
 	--env TEE_PLATFORM=${TEE_PLATFORM:+"all"} \
@@ -53,5 +53,6 @@ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	--env ATTESTER=${ATTESTER:-} \
 	--env coco_guest_components_repo="${coco_guest_components_repo}" \
 	--env coco_guest_components_version="${coco_guest_components_version}" \
+	--user "$(id -u)":"$(id -g)" \
 	"${container_image}" \
 	bash -c "${coco_guest_components_builder}"