diff --git a/tlsserver.go b/tlsserver.go
index 452aead..4564a4f 100644
--- a/tlsserver.go
+++ b/tlsserver.go
@@ -15,8 +15,11 @@ var (
 	cfile = flag.String("cert", "cert.pem", "Certificate file in PEM format")
 	kfile = flag.String("key", "key.pem", "Key file in PEM format")
 	port  = flag.Int("port", 1234, "Port to bind to")
-	uid   = flag.Int("uid", -1, "UID to run under")
-	gid   = flag.Int("gid", -1, "GID to run under")
+	/*
+		Rather than using setuid/setgid we rely on setcap CAP_NET_BIND_SERVICE
+		uid   = flag.Int("uid", -1, "UID to run under")
+		gid   = flag.Int("gid", -1, "GID to run under")
+	*/
 	args  []string
 	nargs int
 )
@@ -53,22 +56,28 @@ func main() {
 	}
 	defer sock.Close()
 
-	// set uid/gid
-	if *gid >= 0 {
-		err := setgid(*gid) // syscall.Setgid(*gid)
-		if err != nil {
-			fmt.Println("Couldn't setgid to", *gid, ":", err)
-			os.Exit(4)
-		}
-	}
+	/*
+		The right way to handle/drop privileges is to start with a
+		low-privileged user and use setcap CAP_NET_BIND_SERVICE on the
+		binary to allow for the listen-operation.
 
-	if *uid >= 0 {
-		err := setuid(*uid) // syscall.Setuid(*uid)
-		if err != nil {
-			fmt.Println("Couldn't setuid to", *uid, ":", err)
-			os.Exit(4)
+		// set uid/gid
+		if *gid >= 0 {
+			err := setgid(*gid) // syscall.Setgid(*gid)
+			if err != nil {
+				fmt.Println("Couldn't setgid to", *gid, ":", err)
+				os.Exit(4)
+			}
 		}
-	}
+
+		if *uid >= 0 {
+			err := setuid(*uid) // syscall.Setuid(*uid)
+			if err != nil {
+				fmt.Println("Couldn't setuid to", *uid, ":", err)
+				os.Exit(4)
+			}
+		}
+	*/
 
 	// accept-loop
 	for {
@@ -91,6 +100,7 @@ func handleConnection(conn net.Conn) {
 	cmd.Stdin = conn
 	cmd.Stdout = conn
 	cmd.Stderr = os.Stderr
+	cmd.SysProcAttr = &syscall.SysProcAttr{}
 
 	// prepare environment according to tcp-environ(5)
 	lh, lp, err := net.SplitHostPort(conn.LocalAddr().String())