diff --git a/platform_unix.go b/platform_unix.go
index e4e0ea2..5000e4a 100644
--- a/platform_unix.go
+++ b/platform_unix.go
@@ -12,6 +12,8 @@ import (
 
 func platformFlags() {
 	flag.StringVar(&socket, "socket", "", "path to a Unix socket (e.g. /tmp/webhook.sock) to use instead of listening on an ip and port; if specified, the ip and port options are ignored")
+	flag.IntVar(&setGID, "setgid", 0, "set group ID after opening listening port; must be used with setuid, not permitted with -socket")
+	flag.IntVar(&setUID, "setuid", 0, "set user ID after opening listening port; must be used with setgid, not permitted with -socket")
 }
 
 func trySocketListener() (net.Listener, error) {
@@ -35,6 +37,9 @@ func trySocketListener() (net.Listener, error) {
 	}
 	// if we get to here, we got no sockets from systemd, so check -socket flag
 	if socket != "" {
+		if setGID != 0 || setUID != 0 {
+			return nil, fmt.Errorf("-setuid and -setgid options are not compatible with -socket.  If you need to bind a socket as root but run webhook as a different user, consider using systemd activation")
+		}
 		addr = fmt.Sprintf("{unix:%s}", socket)
 		return net.Listen("unix", socket)
 	}
diff --git a/webhook.go b/webhook.go
index 6d8aadc..9ed793c 100644
--- a/webhook.go
+++ b/webhook.go
@@ -48,8 +48,6 @@ var (
 	useXRequestID      = flag.Bool("x-request-id", false, "use X-Request-Id header, if present, as request ID")
 	xRequestIDLimit    = flag.Int("x-request-id-limit", 0, "truncate X-Request-Id header to limit; default no limit")
 	maxMultipartMem    = flag.Int64("max-multipart-mem", 1<<20, "maximum memory in bytes for parsing multipart form data before disk caching")
-	setGID             = flag.Int("setgid", 0, "set group ID after opening listening port; must be used with setuid")
-	setUID             = flag.Int("setuid", 0, "set user ID after opening listening port; must be used with setgid")
 	httpMethods        = flag.String("http-methods", "", `set default allowed HTTP methods (ie. "POST"); separate methods with comma`)
 	pidPath            = flag.String("pidfile", "", "create PID file at the given path")
 
@@ -61,6 +59,8 @@ var (
 	watcher *fsnotify.Watcher
 	signals chan os.Signal
 	pidFile *pidfile.PIDFile
+	setUID  = 0
+	setGID  = 0
 	socket  = ""
 	addr    = ""
 )
@@ -107,7 +107,7 @@ func main() {
 		os.Exit(0)
 	}
 
-	if (*setUID != 0 || *setGID != 0) && (*setUID == 0 || *setGID == 0) {
+	if (setUID != 0 || setGID != 0) && (setUID == 0 || setGID == 0) {
 		fmt.Println("error: setuid and setgid options must be used together")
 		os.Exit(1)
 	}
@@ -142,8 +142,8 @@ func main() {
 		}
 	}
 
-	if *setUID != 0 {
-		err := dropPrivileges(*setUID, *setGID)
+	if setUID != 0 {
+		err := dropPrivileges(setUID, setGID)
 		if err != nil {
 			logQueue = append(logQueue, fmt.Sprintf("error dropping privileges: %s", err))
 			// we'll bail out below