diff --git a/engine/compiler/compiler.go b/engine/compiler/compiler.go
index 63ae1eb..418523a 100644
--- a/engine/compiler/compiler.go
+++ b/engine/compiler/compiler.go
@@ -6,6 +6,7 @@ package compiler
 
 import (
 	"context"
+	"path/filepath"
 	"strings"
 
 	"github.com/drone-runners/drone-runner-docker/engine"
@@ -462,6 +463,18 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
 	if len(step.Entrypoint) > 0 {
 		return false
 	}
+	for _, mount := range step.Volumes {
+		path, _ := filepath.Abs(mount.MountPath)
+		path = strings.ToLower(path)
+		switch {
+		case path == "/":
+			return false
+		case path == "/var":
+			return false
+		case strings.Contains(path, "/var/run"):
+			return false
+		}
+	}
 	// if the container image matches any image
 	// in the whitelist, return true.
 	for _, img := range c.Privileged {
diff --git a/engine/compiler/compiler_test.go b/engine/compiler/compiler_test.go
index 9030979..660c23f 100644
--- a/engine/compiler/compiler_test.go
+++ b/engine/compiler/compiler_test.go
@@ -211,3 +211,41 @@ func dump(v interface{}) {
 	enc.SetIndent("", "  ")
 	enc.Encode(v)
 }
+
+// This test verifies that privileged whitelisting is disabled when
+// certain attributes, such as the entrypoint, command or commands
+// are configured.
+func TestIsPrivileged(t *testing.T) {
+	c := new(Compiler)
+	c.Privileged = []string{"foo"}
+	if c.isPrivileged(&resource.Step{Image: "foo", Commands: []string{"echo hello", "echo world"}}) {
+		t.Errorf("Disable privileged mode if commands are specified")
+	}
+	if c.isPrivileged(&resource.Step{Image: "foo", Command: []string{"echo hello", "echo world"}}) {
+		t.Errorf("Disable privileged mode if the Docker command is specified")
+	}
+	if c.isPrivileged(&resource.Step{Image: "foo", Entrypoint: []string{"/bin/sh"}}) {
+		t.Errorf("Disable privileged mode if the Docker entrypoint is specified")
+	}
+	if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var/run/docker.sock"}}}) {
+		t.Errorf("Disable privileged mode if /var/run/docker.sock mounted")
+	}
+	if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var"}}}) {
+		t.Errorf("Disable privileged mode if /var mounted")
+	}
+	if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var/"}}}) {
+		t.Errorf("Disable privileged mode if /var mounted")
+	}
+	if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var//"}}}) {
+		t.Errorf("Disable privileged mode if /var mounted")
+	}
+	if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/var/run"}}}) {
+		t.Errorf("Disable privileged mode if /var/run mounted")
+	}
+	if c.isPrivileged(&resource.Step{Image: "foo", Volumes: []*resource.VolumeMount{{MountPath: "/"}}}) {
+		t.Errorf("Disable privileged mode if / mounted")
+	}
+	if !c.isPrivileged(&resource.Step{Image: "foo"}) {
+		t.Errorf("Enable privileged mode for privileged image")
+	}
+}