diff --git a/cmd/yggdrasil/main.go b/cmd/yggdrasil/main.go
index 95d401517..f1ef29c40 100644
--- a/cmd/yggdrasil/main.go
+++ b/cmd/yggdrasil/main.go
@@ -194,6 +194,8 @@ type yggArgs struct {
 	getaddr       bool
 	getsnet       bool
 	loglevel      string
+	runuid        int
+	rungid        int
 }
 
 func getArgs() yggArgs {
@@ -208,7 +210,10 @@ func getArgs() yggArgs {
 	getaddr := flag.Bool("address", false, "returns the IPv6 address as derived from the supplied configuration")
 	getsnet := flag.Bool("subnet", false, "returns the IPv6 subnet as derived from the supplied configuration")
 	loglevel := flag.String("loglevel", "info", "loglevel to enable")
+	runuid := flag.Int("uid", -1, "drop privileges to this user id")
+	rungid := flag.Int("gid", -1, "drop privileges to this group id")
 	flag.Parse()
+
 	return yggArgs{
 		genconf:       *genconf,
 		useconf:       *useconf,
@@ -221,6 +226,8 @@ func getArgs() yggArgs {
 		getaddr:       *getaddr,
 		getsnet:       *getsnet,
 		loglevel:      *loglevel,
+		runuid:        *runuid,
+		rungid:        *rungid,
 	}
 }
 
@@ -366,6 +373,23 @@ func run(args yggArgs, ctx context.Context, done chan struct{}) {
 	address := n.core.Address()
 	subnet := n.core.Subnet()
 	public := n.core.GetSelf().Key
+	// Lower permissions from root to something else, if the user wants to
+	if syscall.Getuid() == 0 {
+		if args.rungid > 0 {
+			logger.Infoln("Setting gid to:", args.rungid)
+			if err := setgid(args.rungid); err != nil {
+				logger.Errorln("Failed to set gid:", err)
+				return
+			}
+		}
+		if args.runuid > 0 {
+			logger.Infoln("Setting uid to:", args.runuid)
+			if err := setuid(args.runuid); err != nil {
+				logger.Errorln("Failed to set uid:", err)
+				return
+			}
+		}
+	}
 	logger.Infof("Your public key is %s", hex.EncodeToString(public[:]))
 	logger.Infof("Your IPv6 address is %s", address.String())
 	logger.Infof("Your IPv6 subnet is %s", subnet.String())
diff --git a/cmd/yggdrasil/setids_other.go b/cmd/yggdrasil/setids_other.go
new file mode 100644
index 000000000..3b7f6a342
--- /dev/null
+++ b/cmd/yggdrasil/setids_other.go
@@ -0,0 +1,13 @@
+// +build !aix,!darwin,!dragonfly,!freebsd,!linux,!netbsd,!openbsd,!solaris
+
+package main
+
+import "errors"
+
+func setuid(uid int) error {
+	return errors.New("setting uid not supported on this platform")
+}
+
+func setgid(gid int) error {
+	return errors.New("setting gid not supported on this platform")
+}
diff --git a/cmd/yggdrasil/setids_unix.go b/cmd/yggdrasil/setids_unix.go
new file mode 100644
index 000000000..66a87fcb0
--- /dev/null
+++ b/cmd/yggdrasil/setids_unix.go
@@ -0,0 +1,13 @@
+// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
+
+package main
+
+import "syscall"
+
+func setuid(uid int) error {
+	return syscall.Setuid(uid)
+}
+
+func setgid(gid int) error {
+	return syscall.Setgid(gid)
+}