diff --git a/contrib/systemd/unbound-anchor.service.in b/contrib/systemd/unbound-anchor.service.in
index bf46c3f14..1324b4486 100644
--- a/contrib/systemd/unbound-anchor.service.in
+++ b/contrib/systemd/unbound-anchor.service.in
@@ -58,9 +58,11 @@ OnFailure=logger "Error (unbound-anchor): Please check root anchor."
 WantedBy=multi-user.target
 
 [Service]
+User=unbound
+Group=unbound
 ExecCondition=@UNBOUND_RUN_DIR@/roothints-sig.sh
 ExecStart=/bin/cp "/etc/trusted-key.key" @UNBOUND_ROOTKEY_FILE@
-ExecStart=/bin/sudo -u unbound @UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ -c @UNBOUND_RUN_DIR@/icannbundle.pem
+ExecStart=@UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ -c @UNBOUND_RUN_DIR@/icannbundle.pem
 NotifyAccess=main
 Type=oneshot
 # TODO: Needs checking. Does unbound-anchor require net capabilities?
diff --git a/contrib/systemd/unbound-roothints.service.in b/contrib/systemd/unbound-roothints.service.in
index d6f22b1f5..e0a1de2f5 100644
--- a/contrib/systemd/unbound-roothints.service.in
+++ b/contrib/systemd/unbound-roothints.service.in
@@ -58,6 +58,8 @@ OnFailure=logger "Error (unbound-roothints): Please check root hints."
 WantedBy=multi-user.target
 
 [Service]
+User=unbound
+Group=unbound
 ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/root.hints https://www.internic.net/domain/named.cache
 ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/root-hints.md5 https://www.internic.net/domain/named.cache.md5
 ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/icannbundle.pem https://data.iana.org/root-anchors/icannbundle.pem