diff --git a/cage.c b/cage.c
index d4cf210..9c7098a 100644
--- a/cage.c
+++ b/cage.c
@@ -65,6 +65,25 @@ spawn_primary_client(char *argv[], pid_t *pid_out)
 	return true;
 }
 
+static bool
+drop_permissions(void)
+{
+	if (getuid() != geteuid() || getgid() != getegid()) {
+		if (setuid(getuid()) != 0 || setgid(getgid()) != 0) {
+			wlr_log(WLR_ERROR, "Unable to drop root, refusing to start");
+			return false;
+		}
+	}
+
+	if (setuid(0) != -1) {
+		wlr_log(WLR_ERROR, "Unable to drop root (we shouldn't be able to "
+			"restore it after setuid), refusing to start");
+		return false;
+	}
+
+	return true;
+}
+
 static int
 handle_signal(int signal, void *data)
 {
@@ -184,6 +203,11 @@ main(int argc, char *argv[])
 		goto end;
 	}
 
+	if (!drop_permissions()) {
+		ret = 1;
+		goto end;
+	}
+
 	renderer = wlr_backend_get_renderer(server.backend);
 	wlr_renderer_init_wl_display(renderer, server.wl_display);