diff --git a/common/.local/bin/steam b/common/.local/bin/steam
new file mode 100755
index 000000000..cbd24eca1
--- /dev/null
+++ b/common/.local/bin/steam
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -euo pipefail
+
+STEAM_ROOT="${XDG_DATA_HOME}/steamroot"
+
+mkdir -p "$STEAM_ROOT"
+
+args=(
+    --die-with-parent
+
+    --dev-bind /dev /dev
+    --proc /proc
+    --bind /run /run
+    --bind /sys /sys
+    --bind /tmp /tmp
+    --ro-bind /lib /lib
+    --ro-bind /lib32 /lib32
+    --ro-bind /lib64 /lib64
+
+    --bind "$STEAM_ROOT" "$HOME"
+    --chdir "$HOME"
+
+    --unsetenv XDG_CACHE_HOME
+    --unsetenv XDG_CONFIG_HOME
+    --unsetenv XDG_DATA_HOME
+    --unsetenv XDG_STATE_HOME
+
+    --tmpfs /tmp/.X11-unix
+)
+
+install -m 1777 -d /tmp/dumps
+args+=(--bind-try /tmp/dumps /tmp/dumps)
+
+for dir in /bin /etc /lib /lib64 /sbin /usr /var; do
+    args+=(--ro-bind "$dir" "$dir")
+done
+
+if [[ "${DISPLAY}" == *:* ]]; then
+    display_nr=$(echo "$DISPLAY" | cut -d':' -f2 | cut -d'.' -f1)
+    local_socket="/tmp/.X11-unix/X${display_nr}"
+    args+=(--ro-bind-try "$local_socket" "$local_socket")
+fi
+
+if [[ "${XAUTHORITY:-}" == /tmp/* ]]; then
+    args+=(--ro-bind-try "$XAUTHORITY" "$XAUTHORITY")
+fi
+
+exec bwrap "${args[@]}" -- /usr/bin/steam -disable-cef-sandbox "$@"