diff --git a/codex-cli/Dockerfile b/codex-cli/Dockerfile
index 5f894203..4ed3089b 100644
--- a/codex-cli/Dockerfile
+++ b/codex-cli/Dockerfile
@@ -20,7 +20,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
   less \
   man-db \
   procps \
-  sudo \
   unzip \
   ripgrep \
   zsh \
@@ -47,10 +46,10 @@ RUN npm install -g codex.tgz \
   && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/tests \
   && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/docs
 
-# Copy and set up firewall script
-COPY scripts/init_firewall.sh /usr/local/bin/
+# Copy and set up firewall script as root.
 USER root
-RUN chmod +x /usr/local/bin/init_firewall.sh && \
-  echo "node ALL=(root) NOPASSWD: /usr/local/bin/init_firewall.sh" > /etc/sudoers.d/node-firewall && \
-  chmod 0440 /etc/sudoers.d/node-firewall
+COPY scripts/init_firewall.sh /usr/local/bin/
+RUN chmod 500 /usr/local/bin/init_firewall.sh
+
+# Drop back to non-root.
 USER node
diff --git a/codex-cli/scripts/run_in_container.sh b/codex-cli/scripts/run_in_container.sh
index c95c57ae..1da286a7 100755
--- a/codex-cli/scripts/run_in_container.sh
+++ b/codex-cli/scripts/run_in_container.sh
@@ -57,8 +57,8 @@ docker run --name "$CONTAINER_NAME" -d \
   codex \
   sleep infinity
 
-# Initialize the firewall inside the container.
-docker exec "$CONTAINER_NAME" bash -c "sudo /usr/local/bin/init_firewall.sh"
+# Initialize the firewall inside the container with root privileges.
+docker exec --user root "$CONTAINER_NAME" /usr/local/bin/init_firewall.sh
 
 # Execute the provided command in the container, ensuring it runs in the work directory.
 # We use a parameterized bash command to safely handle the command and directory.