diff --git a/first_time_install.sh b/first_time_install.sh
index 8ceea729..e320de81 100644
--- a/first_time_install.sh
+++ b/first_time_install.sh
@@ -364,6 +364,19 @@ else
 fi
 echo ""
 
+CURRENT_STEP="Harden systemd unit file permissions"
+echo "Step 7.1: Setting systemd unit file permissions..."
+echo "-----------------------------------------------"
+for unit in "/etc/systemd/system/ledmatrix.service" "/etc/systemd/system/ledmatrix-web.service"; do
+    if [ -f "$unit" ]; then
+        chown root:root "$unit" || true
+        chmod 644 "$unit" || true
+    fi
+done
+systemctl daemon-reload || true
+echo "✓ Systemd unit file permissions set"
+echo ""
+
 CURRENT_STEP="Configure web interface permissions"
 echo "Step 8: Configuring web interface permissions..."
 echo "------------------------------------------------"
@@ -457,6 +470,27 @@ fi
 echo "✓ File ownership configured"
 echo ""
 
+CURRENT_STEP="Normalize project file permissions"
+echo "Step 10.1: Normalizing project file and directory permissions..."
+echo "--------------------------------------------------------------"
+
+# Normalize directory permissions (exclude VCS metadata)
+find "$PROJECT_ROOT_DIR" -path "*/.git*" -prune -o -type d -exec chmod 755 {} +
+
+# Set default file permissions
+find "$PROJECT_ROOT_DIR" -path "*/.git*" -prune -o -type f -exec chmod 644 {} +
+
+# Ensure shell scripts are executable
+find "$PROJECT_ROOT_DIR" -path "*/.git*" -prune -o -type f -name "*.sh" -exec chmod 755 {} +
+
+# Explicitly ensure common helper scripts are executable (in case paths change)
+chmod 755 "$PROJECT_ROOT_DIR/start_display.sh" "$PROJECT_ROOT_DIR/stop_display.sh" 2>/dev/null || true
+chmod 755 "$PROJECT_ROOT_DIR/fix_cache_permissions.sh" "$PROJECT_ROOT_DIR/fix_web_permissions.sh" 2>/dev/null || true
+chmod 755 "$PROJECT_ROOT_DIR/install_service.sh" "$PROJECT_ROOT_DIR/install_web_service.sh" 2>/dev/null || true
+
+echo "✓ Project file permissions normalized"
+echo ""
+
 CURRENT_STEP="Sound module configuration"
 echo "Step 11: Sound module configuration..."
 echo "-------------------------------------"
diff --git a/fix_cache_permissions.sh b/fix_cache_permissions.sh
index 1512f156..a3fa3e15 100644
--- a/fix_cache_permissions.sh
+++ b/fix_cache_permissions.sh
@@ -6,15 +6,22 @@
 
 echo "Fixing LEDMatrix cache directory permissions..."
 
-CACHE_DIRS=(
-    "/var/cache/ledmatrix"
-    "/home/ledpi/.ledmatrix_cache"
-)
-
 # Get the real user (not root when running with sudo)
 REAL_USER=${SUDO_USER:-$USER}
+# Resolve the home directory of the real user robustly
+if command -v getent >/dev/null 2>&1; then
+    REAL_HOME=$(getent passwd "$REAL_USER" | cut -d: -f6)
+else
+    REAL_HOME=$(eval echo ~"$REAL_USER")
+fi
 REAL_GROUP=$(id -gn "$REAL_USER")
 
+# Known cache directories for LEDMatrix. Use the actual user's home instead of a hard-coded path.
+CACHE_DIRS=(
+    "/var/cache/ledmatrix"
+    "$REAL_HOME/.ledmatrix_cache"
+)
+
 for CACHE_DIR in "${CACHE_DIRS[@]}"; do
     echo ""
     echo "Checking cache directory: $CACHE_DIR"
@@ -25,6 +32,7 @@ for CACHE_DIR in "${CACHE_DIRS[@]}"; do
     echo "  - Current permissions:"
     ls -ld "$CACHE_DIR"
     echo "  - Fixing permissions..."
+    # Make directory writable by services regardless of user context
     sudo chmod 777 "$CACHE_DIR"
     sudo chown "$REAL_USER":"$REAL_GROUP" "$CACHE_DIR"
     echo "  - Updated permissions:"