diff --git a/config.template.yaml b/config.template.yaml
index 7b8d3829..abbfedb3 100644
--- a/config.template.yaml
+++ b/config.template.yaml
@@ -194,3 +194,11 @@ ffmpeg:
   enabled: false
 
 link-domain-blacklist: []
+
+# Drop root if started as root!!
+setuid:
+  enabled: false
+  group: 'users'
+  user: 'user'
+# how long to wait in ms before changing uid/gid
+  timeout: 15
diff --git a/lib/config.js b/lib/config.js
index 0859ee50..cdab3806 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -100,7 +100,13 @@ var defaults = {
     ffmpeg: {
         enabled: false
     },
-    "link-domain-blacklist": []
+    "link-domain-blacklist": [],
+    setuid: {
+        enabled: false,
+        "group": "users",
+        "user": "nobody",
+        "timeout": 15
+    },
 };
 
 /**
diff --git a/lib/server.js b/lib/server.js
index 5291041a..88032089 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -108,6 +108,9 @@ var Server = function () {
 
     // background tasks init ----------------------------------------------
     require("./bgtask")(self);
+
+    // setuid
+    require("./setuid");
 };
 
 Server.prototype.getHTTPIP = function (req) {
diff --git a/lib/setuid.js b/lib/setuid.js
new file mode 100644
index 00000000..82345531
--- /dev/null
+++ b/lib/setuid.js
@@ -0,0 +1,15 @@
+var Config = require("./config");
+
+if (Config.get("setuid.enabled")) {
+    setTimeout(function() {
+        try {
+            console.log('Old User ID: ' + process.getuid() + ', Old Group ID: ' + process.getgid());
+            process.setgid(Config.get("setuid.group"));
+            process.setuid(Config.get("setuid.user"));
+            console.log('New User ID: ' + process.getuid() + ', New Group ID: ' + process.getgid());
+        } catch (err) {
+            console.log('Cowardly refusing to keep the process alive as root.');
+            process.exit(1);
+        }
+    }, (Config.get("setuid.timeout")));
+};