diff --git a/Dockerfile b/Dockerfile
index 565880c..90a91a3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,9 @@
 FROM mcr.microsoft.com/devcontainers/php:8.3
 
 # Change default umask and add user to web group so we can share write permission on web files
-RUN sed -i 's/^UMASK\s*022/UMASK 002/' /etc/login.defs
+# Configure pam_umask to set umask to 002 (works regardless of /etc/login.defs content)
+RUN sed -i 's/pam_umask\.so/pam_umask.so umask=002/' /etc/pam.d/common-session \
+    && sed -i 's/pam_umask\.so/pam_umask.so umask=002/' /etc/pam.d/common-session-noninteractive
 RUN usermod -aG www-data vscode
 
 # Add glow for formatting command usage output (and because it's just nice)
@@ -57,6 +59,9 @@ RUN sed -i 's/Listen\s*80$/# Listen 80/' /etc/apache2/ports.conf
 # Enable Apache modules
 RUN a2enmod expires headers rewrite
 
+# Set umask for Apache to ensure group-writable files
+RUN echo "umask 002" >> /etc/apache2/envvars
+
 # Install terminus
 RUN curl -L https://github.com/pantheon-systems/terminus/releases/latest/download/terminus.phar --output /usr/local/bin/terminus \
   && chmod +x /usr/local/bin/terminus \
diff --git a/local/etc/uceap.d/refresh_content.sh b/local/etc/uceap.d/refresh_content.sh
index e45d888..e044ebc 100644
--- a/local/etc/uceap.d/refresh_content.sh
+++ b/local/etc/uceap.d/refresh_content.sh
@@ -18,6 +18,8 @@ function refresh_content() {
 	# no-same-permissions doesn't seem to work so we fix it here
 	sudo find web/sites/default/files -type d -exec chmod g+ws {} +
 	sudo find web/sites/default/files -type f -exec chmod g+w {} +
+	# TODO: Temporary workaround for umask issue - remove once Dockerfile umask fix is verified
+	chmod -R g+w web/sites/default/files
 
 	db-rebuild.sh $DATABASE_BACKUP