diff --git a/run_user.go b/run_user.go
index bc7c982d890..9ea2e5f15bc 100644
--- a/run_user.go
+++ b/run_user.go
@@ -17,6 +17,9 @@
 package main
 
 import (
+	"context"
+
+	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
 	"github.com/urfave/cli/v2"
 )
@@ -24,7 +27,14 @@ import (
 func generateUserOpts(clicontext *cli.Context) ([]oci.SpecOpts, error) {
 	var opts []oci.SpecOpts
 	if u := clicontext.String("user"); u != "" {
-		opts = append(opts, oci.WithUser(u), oci.WithAdditionalGIDs(u))
+		opts = append(opts, oci.WithUser(u), withResetAdditionalGIDs(), oci.WithAdditionalGIDs(u))
 	}
 	return opts, nil
 }
+
+func withResetAdditionalGIDs() oci.SpecOpts {
+	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+		s.Process.User.AdditionalGids = nil
+		return nil
+	}
+}
diff --git a/run_user_test.go b/run_user_test.go
new file mode 100644
index 00000000000..fc8b62c7f08
--- /dev/null
+++ b/run_user_test.go
@@ -0,0 +1,46 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+
+	"github.com/containerd/nerdctl/pkg/testutil"
+)
+
+func TestRunUserGID(t *testing.T) {
+	base := testutil.NewBase(t)
+	testCases := map[string]string{
+		"":       "root bin daemon sys adm disk wheel floppy dialout tape video",
+		"1000":   "root",
+		"guest":  "users",
+		"nobody": "nobody",
+	}
+	for userStr, expected := range testCases {
+		userStr := userStr
+		expected := expected
+		t.Run(userStr, func(t *testing.T) {
+			t.Parallel()
+			cmd := []string{"run", "--rm"}
+			if userStr != "" {
+				cmd = append(cmd, "--user", userStr)
+			}
+			cmd = append(cmd, testutil.AlpineImage, "id", "-nG")
+			base.Cmd(cmd...).AssertOut(expected)
+		})
+	}
+}