diff --git a/internal/fusefrontend/fs.go b/internal/fusefrontend/fs.go
index c4035fa..d6467f9 100644
--- a/internal/fusefrontend/fs.go
+++ b/internal/fusefrontend/fs.go
@@ -255,21 +255,22 @@ func (fs *FS) Chown(path string, uid uint32, gid uint32, context *fuse.Context)
 	if fs.isFiltered(path) {
 		return fuse.EPERM
 	}
-	cPath, err := fs.getBackingPath(path)
+	dirfd, cName, err := fs.openBackingPath(path)
 	if err != nil {
 		return fuse.ToStatus(err)
 	}
-	code = fuse.ToStatus(os.Lchown(cPath, int(uid), int(gid)))
+	defer dirfd.Close()
+	code = fuse.ToStatus(syscallcompat.Fchownat(int(dirfd.Fd()), cName, int(uid), int(gid), unix.AT_SYMLINK_NOFOLLOW))
 	if !code.Ok() {
 		return code
 	}
 	if !fs.args.PlaintextNames {
 		// When filename encryption is active, every directory contains
 		// a "gocryptfs.diriv" file. This file should also change the owner.
-		// Instead of checking if "cPath" is a directory, we just blindly
-		// execute the Lchown on "cPath/gocryptfs.diriv" and ignore errors.
-		dirIVPath := filepath.Join(cPath, nametransform.DirIVFilename)
-		os.Lchown(dirIVPath, int(uid), int(gid))
+		// Instead of checking if "cName" is a directory, we just blindly
+		// execute the chown on "cName/gocryptfs.diriv" and ignore errors.
+		dirIVPath := filepath.Join(cName, nametransform.DirIVFilename)
+		syscallcompat.Fchownat(int(dirfd.Fd()), dirIVPath, int(uid), int(gid), unix.AT_SYMLINK_NOFOLLOW)
 	}
 	return fuse.OK
 }