diff --git a/.gitignore b/.gitignore
index 7664764..8c2394e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-/clevis-4.tar.bz2
+/clevis-5.tar.bz2
diff --git a/clevis.spec b/clevis.spec
index 02668be..8b983dc 100644
--- a/clevis.spec
+++ b/clevis.spec
@@ -1,7 +1,7 @@
 %global _hardened_build 1
 
 Name:           clevis
-Version:        4
+Version:        5
 Release:        1%{?dist}
 Summary:        Automated decryption framework
 
@@ -59,6 +59,7 @@ Automatically unlocks LUKSv1 block devices in early boot.
 %package udisks2
 Summary:        UDisks2/Storaged integration for clevis
 Requires:       %{name}-luks%{?_isa} = %{version}-%{release}
+Requires(pre):  shadow-utils
 
 %description udisks2
 Automatically unlocks LUKSv1 block devices in desktop environments that
@@ -73,12 +74,21 @@ use UDisks2 or storaged (like GNOME).
 
 %install
 %make_install
+%{__sed} -i "s|^\(Exec=.*/clevis-luks-udisks2\)$|\1 -u %{name} -g %{name}|" \
+  %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
 
 %check
 desktop-file-validate \
   %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
 %make_build check
 
+%pre udisks2
+getent group %{name} >/dev/null || groupadd -r %{name}
+getent passwd %{name} >/dev/null || \
+    useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
+    -c "Clevis Decryption Framework unprivileged user" %{name}
+exit 0
+
 %files
 %license COPYING
 %{_bindir}/%{name}-decrypt-http
@@ -107,6 +117,10 @@ desktop-file-validate \
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 
 %changelog
+* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
+- New upstream release
+- Run clevis decryption from udisks2 under an unprivileged user
+
 * Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
 - New upstream release
 
diff --git a/sources b/sources
index c8774a7..005ab13 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
-SHA512 (clevis-3.tar.bz2) = 770ceaab58aa9c4d6d4acc69db2c683aa11f309d315f4c14d4685edc3787f9c02996b8cc7215a4a6fc624a50ba4780ca15a122d10666f4ea0b9c71376b59f06d
-SHA512 (clevis-4.tar.bz2) = 73264cd9da6c064950aa6066242dd6c83cd2479bc4ec79221f69c6b2aa07c6dfe34c6e3868c374f669fc2bfc9abbb04cf13cc35c1c534cf306e7ea21bb1b67ed
+SHA512 (clevis-5.tar.bz2) = 2679b2f9575a98eb325202f899d34cbe1e32de7cb06d58178a7890e5ca477f3c8761050db1751812b220ee1321cf7f5a24a819c2c88b93619b255c5def03ce70