diff --git a/rust/gui-client/src-tauri/linux_package/postinst b/rust/gui-client/src-tauri/linux_package/postinst
index d721d5e4b..620514d26 100755
--- a/rust/gui-client/src-tauri/linux_package/postinst
+++ b/rust/gui-client/src-tauri/linux_package/postinst
@@ -4,7 +4,25 @@ set -euo pipefail
 
 SERVICE_NAME="firezone-client-tunnel"
 
-# Creates the system group `firezone-client`
+DISPLAY_USER=$(who | grep '(login screen)' | awk '{print $1}')
+
+if [ -n "${PKEXEC_UID:-}" ]; then
+    INVOKING_USER=$(id -un "$PKEXEC_UID" 2>/dev/null) # Detect user from PolicyKit.
+
+    echo "Detected invoking user from PolicyKit: $INVOKING_USER"
+elif [ -n "${SUDO_USER:-}" ]; then
+    INVOKING_USER="$SUDO_USER" # Detect user from `sudo apt/dnf install`.
+
+    echo "Detected invoking user from SUDO_USER: $INVOKING_USER"
+elif [ -n "${DISPLAY_USER:-}" ]; then
+    INVOKING_USER="$DISPLAY_USER" # Detect user from display session.
+
+    echo "Detected invoking user from display session: $INVOKING_USER"
+fi
+
+sudo sed -i "s/<<USER>>/${INVOKING_USER:-root}/g" "/usr/lib/sysusers.d/firezone-client-tunnel.conf"
+
+# Creates the system group `firezone-client` and adds the group membership.
 sudo systemd-sysusers
 
 echo "Starting and enabling Firezone Tunnel service..."
diff --git a/rust/gui-client/src-tauri/linux_package/sysusers.conf b/rust/gui-client/src-tauri/linux_package/sysusers.conf
index 830b931da..78d0afb99 100644
--- a/rust/gui-client/src-tauri/linux_package/sysusers.conf
+++ b/rust/gui-client/src-tauri/linux_package/sysusers.conf
@@ -2,3 +2,4 @@
 # This creates the `firezone-client` group automatically at startup
 
 g firezone-client -
+m <<USER>> firezone-client -