diff --git a/src/shrpx.cc b/src/shrpx.cc
index 5c1defd3..d0171de7 100644
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -39,6 +39,7 @@
 #include <limits.h>
 #include <sys/time.h>
 #include <sys/resource.h>
+#include <grp.h>
 
 #include <limits>
 #include <cstdlib>
@@ -256,6 +257,12 @@ std::unique_ptr<AcceptHandler> create_acceptor(ConnectionHandler *handler,
 namespace {
 void drop_privileges() {
   if (getuid() == 0 && get_config()->uid != 0) {
+    if (initgroups(get_config()->user.get(), get_config()->gid) != 0) {
+      auto error = errno;
+      LOG(FATAL) << "Could not change supplementary groups: "
+                 << strerror(error);
+      exit(EXIT_FAILURE);
+    }
     if (setgid(get_config()->gid) != 0) {
       auto error = errno;
       LOG(FATAL) << "Could not change gid: " << strerror(error);
@@ -714,6 +721,7 @@ void fill_default_config() {
   mod_config()->insecure = false;
   mod_config()->cacert = nullptr;
   mod_config()->pid_file = nullptr;
+  mod_config()->user = nullptr;
   mod_config()->uid = 0;
   mod_config()->gid = 0;
   mod_config()->pid = getpid();
diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc
index f3057e67..eda2c566 100644
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -758,6 +758,7 @@ int parse_config(const char *opt, const char *optarg) {
                  << strerror(errno);
       return -1;
     }
+    mod_config()->user = strcopy(pwd->pw_name);
     mod_config()->uid = pwd->pw_uid;
     mod_config()->gid = pwd->pw_gid;
 
diff --git a/src/shrpx_config.h b/src/shrpx_config.h
index c64a2c69..8a500893 100644
--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@@ -272,6 +272,7 @@ struct Config {
   int syslog_facility;
   int backlog;
   int argc;
+  std::unique_ptr<char[]> user;
   uid_t uid;
   gid_t gid;
   pid_t pid;