diff --git a/srcpkgs/wpa_supplicant/INSTALL.msg b/srcpkgs/wpa_supplicant/INSTALL.msg
new file mode 100644
index 00000000000..ca03234d01b
--- /dev/null
+++ b/srcpkgs/wpa_supplicant/INSTALL.msg
@@ -0,0 +1,4 @@
+The runit service now uses Linux capabilities to run as non-root.
+If you edited `wpa_supplicant.conf` files, you must set
+	`control_interface_group=_wpas`
+there, so that the unprivileged daemon can function properly.
diff --git a/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf b/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
index 60141532035..3d213b67b8b 100644
--- a/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
+++ b/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
@@ -1,7 +1,7 @@
 # Default configuration file for wpa_supplicant.conf(5).
 
 ctrl_interface=/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface_group=_wpas
 eapol_version=1
 ap_scan=1
 fast_reauth=1
diff --git a/srcpkgs/wpa_supplicant/files/wpa_supplicant/run b/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
index 29829f12cfa..d2d90b72a23 100644
--- a/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
+++ b/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
@@ -7,5 +7,14 @@ else
 	OPTS="${AUTO}"
 fi
 
+# automigrate
+chown -R _wpas:_wpas /etc/wpa_supplicant
+! [ -d /run/wpa_supplicant ] && install -m 700 -g _wpas -o _wpas -d /run/wpa_supplicant
+chown -R _wpas:_wpas /run/wpa_supplicant
+
 exec 2>&1
-exec wpa_supplicant ${OPTS}
+exec setpriv --reuid _wpas --regid _wpas --clear-groups \
+  --ambient-caps -all,+net_admin,+net_raw \
+  --inh-caps -all,+net_admin,+net_raw \
+  --bounding-set -all,+net_admin,+net_raw \
+  --no-new-privs -- wpa_supplicant ${OPTS}
diff --git a/srcpkgs/wpa_supplicant/template b/srcpkgs/wpa_supplicant/template
index 67be2a65c3d..e1cc953f3e5 100644
--- a/srcpkgs/wpa_supplicant/template
+++ b/srcpkgs/wpa_supplicant/template
@@ -20,6 +20,7 @@ make_check=no # has no test suite
 build_options="dbus readline"
 build_options_default="dbus readline"
 conf_files="/etc/${pkgname}/${pkgname}.conf"
+system_accounts="_wpas"
 
 pre_build() {
 	cp -f ${FILESDIR}/config .config