diff --git a/srcpkgs/wpa_supplicant/INSTALL b/srcpkgs/wpa_supplicant/INSTALL
new file mode 100644
index 00000000000000..a87791656dc05d
--- /dev/null
+++ b/srcpkgs/wpa_supplicant/INSTALL
@@ -0,0 +1,7 @@
+# INSTALL
+case "$ACTION" in
+post)
+	chown -R root:_wpas /etc/wpa_supplicant/*
+	chmod 640 /etc/wpa_supplicant/*
+	;;
+esac
diff --git a/srcpkgs/wpa_supplicant/INSTALL.msg b/srcpkgs/wpa_supplicant/INSTALL.msg
new file mode 100644
index 00000000000000..7ddac2a712b249
--- /dev/null
+++ b/srcpkgs/wpa_supplicant/INSTALL.msg
@@ -0,0 +1,10 @@
+The runit service now uses Linux capabilities to run as non-root.
+If you edited `wpa_supplicant.conf` files, you must set
+	`control_interface_group=_wpas`
+there, so that the unprivileged daemon can function properly.
+You must also
+	`chown -R _wpas:_wpas /run/wpa_supplicant`
+before restarting the service with a mounted /run.
+Finally, note that due to a bug in wpa_cli, you must run it as
+	`(umask 0 && wpa_cli)`
+for the supplicant to be able to communicate with it.
diff --git a/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf b/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
index 601415320354cb..3d213b67b8b507 100644
--- a/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
+++ b/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
@@ -1,7 +1,7 @@
 # Default configuration file for wpa_supplicant.conf(5).
 
 ctrl_interface=/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface_group=_wpas
 eapol_version=1
 ap_scan=1
 fast_reauth=1
diff --git a/srcpkgs/wpa_supplicant/files/wpa_supplicant/run b/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
index 0bb6ff43caf912..a698d5013ecc90 100644
--- a/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
+++ b/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
@@ -7,10 +7,13 @@ else
 	OPTS="${AUTO}"
 fi
 
-# revert automigrate
-chown -R root:root /etc/wpa_supplicant
-! [ -d /run/wpa_supplicant ] && install -m 700 -g root -o root -d /run/wpa_supplicant
-chown -R root:root /run/wpa_supplicant
+! [ -d /run/wpa_supplicant ] && install -m 0750 -g _wpas -o _wpas -d /run/wpa_supplicant
+
+_caps=-all,+net_admin,+net_raw
 
 exec 2>&1
-exec wpa_supplicant ${OPTS}
+exec setpriv --reuid _wpas --regid _wpas --clear-groups \
+  --ambient-caps $_caps \
+  --inh-caps $_caps \
+  --bounding-set $_caps \
+  --no-new-privs -- wpa_supplicant ${OPTS}
diff --git a/srcpkgs/wpa_supplicant/template b/srcpkgs/wpa_supplicant/template
index cc6c8ab38bf4f4..1a02306da4af53 100644
--- a/srcpkgs/wpa_supplicant/template
+++ b/srcpkgs/wpa_supplicant/template
@@ -1,7 +1,7 @@
 # Template file for 'wpa_supplicant'
 pkgname=wpa_supplicant
 version=2.11
-revision=3
+revision=4
 build_wrksrc="${pkgname}"
 build_style=gnu-makefile
 make_build_args="V=1 BINDIR=/usr/bin"
@@ -20,6 +20,7 @@ make_check=no # has no test suite
 build_options="dbus readline"
 build_options_default="dbus readline"
 conf_files="/etc/${pkgname}/${pkgname}.conf"
+system_accounts="_wpas"
 
 pre_build() {
 	cp -f ${FILESDIR}/config .config