diff --git a/entrypoint.sh b/entrypoint.sh
index e4ff76e..e40181f 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -34,13 +34,16 @@ if [ -n "$TARGET_UID" ] && [ "$TARGET_UID" != "$CURRENT_UID" ]; then
 fi
 
 # ── SSH key permissions ──────────────────────────────────────────────
-# If SSH keys are mounted, fix permissions (bind mounts may have wrong perms)
+# If SSH keys are mounted, fix permissions (skip if read-only mount)
 if [ -d "/home/$USER_NAME/.ssh" ] && [ "$(ls -A "/home/$USER_NAME/.ssh" 2>/dev/null)" ]; then
-  chmod 700 "/home/$USER_NAME/.ssh"
-  find "/home/$USER_NAME/.ssh" -type f -name "id_*" ! -name "*.pub" -exec chmod 600 {} \; 2>/dev/null || true
-  find "/home/$USER_NAME/.ssh" -type f -name "*.pub" -exec chmod 644 {} \; 2>/dev/null || true
-  [ -f "/home/$USER_NAME/.ssh/known_hosts" ] && chmod 644 "/home/$USER_NAME/.ssh/known_hosts"
-  [ -f "/home/$USER_NAME/.ssh/config" ] && chmod 600 "/home/$USER_NAME/.ssh/config"
+  if touch "/home/$USER_NAME/.ssh/.perm_test" 2>/dev/null; then
+    rm -f "/home/$USER_NAME/.ssh/.perm_test"
+    chmod 700 "/home/$USER_NAME/.ssh"
+    find "/home/$USER_NAME/.ssh" -type f -name "id_*" ! -name "*.pub" -exec chmod 600 {} \; 2>/dev/null || true
+    find "/home/$USER_NAME/.ssh" -type f -name "*.pub" -exec chmod 644 {} \; 2>/dev/null || true
+    [ -f "/home/$USER_NAME/.ssh/known_hosts" ] && chmod 644 "/home/$USER_NAME/.ssh/known_hosts"
+    [ -f "/home/$USER_NAME/.ssh/config" ] && chmod 600 "/home/$USER_NAME/.ssh/config"
+  fi
 fi
 
 # ── Drop to developer user for remaining setup ──────────────────────