diff --git a/Makefile.am b/Makefile.am
index 20c6e589de4d8ab5feaab41c3f8cc1c559ca2f06..35b17768f1328771a8a22a556e8aa8ad38cd7875 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -514,6 +514,9 @@ lib/_autoconf.py: Makefile stamp-directories
 	  echo "PKGLIBDIR = '$(pkglibdir)'"; \
 	  echo "DRBD_BARRIERS = $(DRBD_BARRIERS)"; \
 	  echo "SYSLOG_USAGE = '$(SYSLOG_USAGE)'"; \
+	  echo "DAEMONS_GROUP = '$(DAEMONS_GROUP)'"; \
+	  echo "MASTERD_USER = '$(MASTERD_USER)'"; \
+	  echo "RAPI_USER = '$(RAPI_USER)'"; \
 	} > $@
 
 $(REPLACE_VARS_SED): Makefile
diff --git a/daemons/ganeti-rapi b/daemons/ganeti-rapi
index a5d34069052f2e9f416a6af5f33b5f60b0c579bd..fe08cb0d21ef3cb6869a815b2821b625bd778f5d 100755
--- a/daemons/ganeti-rapi
+++ b/daemons/ganeti-rapi
@@ -214,21 +214,23 @@ def CheckRapi(options, args):
 
   ssconf.CheckMaster(options.debug)
 
+  # Read SSL certificate (this is a little hackish to read the cert as root)
+  if options.ssl:
+    options.ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key,
+                                            ssl_cert_path=options.ssl_cert)
+  else:
+    options.ssl_params = None
+
 
 def ExecRapi(options, _):
   """Main remote API function, executed with the PID file held.
 
   """
-  # Read SSL certificate
-  if options.ssl:
-    ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key,
-                                    ssl_cert_path=options.ssl_cert)
-  else:
-    ssl_params = None
 
   mainloop = daemon.Mainloop()
   server = RemoteApiHttpServer(mainloop, options.bind_address, options.port,
-                               ssl_params=ssl_params, ssl_verify_peer=False,
+                               ssl_params=options.ssl_params,
+                               ssl_verify_peer=False,
                                request_executor_class=JsonErrorRequestExecutor)
   # pylint: disable-msg=E1101
   # it seems pylint doesn't see the second parent class there
@@ -251,7 +253,8 @@ def main():
   dirs.append((constants.LOG_OS_DIR, 0750))
   daemon.GenericMain(constants.RAPI, parser, dirs, CheckRapi, ExecRapi,
                      default_ssl_cert=constants.RAPI_CERT_FILE,
-                     default_ssl_key=constants.RAPI_CERT_FILE)
+                     default_ssl_key=constants.RAPI_CERT_FILE,
+                     user=constants.RAPI_USER, group=constants.DAEMONS_GROUP)
 
 
 if __name__ == "__main__":
diff --git a/lib/constants.py b/lib/constants.py
index 3dd8875975d03469304d88386097bfb59e5a1457..a70ede25b4b4863fd636d06015e58e0917863cd4 100644
--- a/lib/constants.py
+++ b/lib/constants.py
@@ -82,16 +82,21 @@ CONFIG_MINOR = int(_autoconf.VERSION_MINOR)
 CONFIG_REVISION = 0
 CONFIG_VERSION = BuildVersion(CONFIG_MAJOR, CONFIG_MINOR, CONFIG_REVISION)
 
+# user separation
+DAEMONS_GROUP = _autoconf.DAEMONS_GROUP
+MASTERD_USER = _autoconf.MASTERD_USER
+RAPI_USER = _autoconf.RAPI_USER
+
 # file paths
 DATA_DIR = _autoconf.LOCALSTATEDIR + "/lib/ganeti"
 RUN_DIR = _autoconf.LOCALSTATEDIR + "/run"
 RUN_GANETI_DIR = RUN_DIR + "/ganeti"
 BDEV_CACHE_DIR = RUN_GANETI_DIR + "/bdev-cache"
 DISK_LINKS_DIR = RUN_GANETI_DIR + "/instance-disks"
-RUN_DIRS_MODE = 0755
+RUN_DIRS_MODE = 0775
 SOCKET_DIR = RUN_GANETI_DIR + "/socket"
 SECURE_DIR_MODE = 0700
-SOCKET_DIR_MODE = SECURE_DIR_MODE
+SOCKET_DIR_MODE = 0750
 CRYPTO_KEYS_DIR = RUN_GANETI_DIR + "/crypto"
 CRYPTO_KEYS_DIR_MODE = SECURE_DIR_MODE
 IMPORT_EXPORT_DIR = RUN_GANETI_DIR + "/import-export"