diff --git a/libpromises/conversion.c b/libpromises/conversion.c
index f812ca491a..eb11fcb838 100644
--- a/libpromises/conversion.c
+++ b/libpromises/conversion.c
@@ -1190,10 +1190,9 @@ gid_t Str2Gid(const char *gidbuff, char *groupcopy, const Promise *pp)
         }
         else if ((gr = getgrnam(gidbuff)) == NULL)
         {
-            Log(LOG_LEVEL_INFO, "Unknown group '%s' in promise", gidbuff);
-
             if (pp)
             {
+                Log(LOG_LEVEL_INFO, "Unknown group '%s' in promise", gidbuff);
                 PromiseRef(LOG_LEVEL_INFO, pp);
             }
 
diff --git a/libpromises/dbm_lmdb.c b/libpromises/dbm_lmdb.c
index 65d08fe1ec..2bed01bba1 100644
--- a/libpromises/dbm_lmdb.c
+++ b/libpromises/dbm_lmdb.c
@@ -34,6 +34,7 @@
 #include <file_lib.h>
 #include <known_dirs.h>
 #include <bootstrap.h>
+#include <conversion.h>
 
 #ifdef LMDB
 
@@ -537,7 +538,31 @@ DBPriv *DBPrivOpenDB(const char *dbpath, dbid id)
     open_flags |= MDB_WRITEMAP;
 #endif
 
-    rc = LmdbEnvOpen(db->env, dbpath, open_flags, 0644);
+#ifndef __MINGW32__
+    // If effective user is root then change to system group for lmdb files
+    // otherwise leave group as-is.
+    uid_t p_euid = geteuid();
+    gid_t current_gid = getgid();
+    if (p_euid == 0)
+    {
+        gid_t system_gid = Str2Gid(CF_SYSTEM_GROUP, NULL /* no groupcopy */, NULL /* no Promise */);
+        if (system_gid == CF_SAME_GROUP || system_gid == CF_UNKNOWN_GROUP)
+        {
+            Log(LOG_LEVEL_ERR, "Could not get gid_t for CF_SYSTEM_GROUP('%s'), got %d", CF_SYSTEM_GROUP, system_gid);
+            goto err;
+        }
+        else
+        {
+            rc = setgid(system_gid);
+            if (rc)
+            {
+                Log(LOG_LEVEL_WARNING, "Could not set system group. setgid(%d): %s", system_gid, strerror(errno));
+            }
+        }
+    }
+#endif
+
+    rc = LmdbEnvOpen(db->env, dbpath, open_flags, CF_PERMS_DEFAULT);
     if (rc)
     {
         Log(LOG_LEVEL_ERR, "Could not open database %s: %s",
@@ -546,6 +571,17 @@ DBPriv *DBPrivOpenDB(const char *dbpath, dbid id)
         {
             HandleLMDBCorruption(db->env, mdb_strerror(rc));
         }
+#ifndef __MINGW32__
+        if (p_euid == 0)
+        {
+            rc = setgid(current_gid);
+            if (rc)
+            {
+                Log(LOG_LEVEL_ERR, "Could not set group id back to previous value.");
+                goto err;
+            }
+        }
+#endif
         goto err;
     }
     if (DB_MAX_READERS > 0)
diff --git a/libutils/definitions.h b/libutils/definitions.h
index 4c813b7e5e..640b634721 100644
--- a/libutils/definitions.h
+++ b/libutils/definitions.h
@@ -44,4 +44,24 @@
 #define CF_BUFSIZE     4096
 #define CF_EXPANDSIZE (2 * CF_BUFSIZE)
 
+/*****************************************************************************
+ *                          File permissions                                 *
+ *****************************************************************************/
+// 0600 - Read/Write for owner
+#define CF_PERMS_DEFAULT  S_IRUSR | S_IWUSR
+// 0644 - World readable
+#define CF_PERMS_SHARED   CF_PERMS_DEFAULT | S_IRGRP | S_IROTH
+
+/*****************************************************************************
+ *                       File Ownership                                         *
+ *****************************************************************************/
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__)
+#  define CF_SYSTEM_GROUP "wheel"
+#elif defined(__sun__) || defined(__hpux__)
+#  define CF_SYSTEM_GROUP "sys"
+#elif defined(_AIX)
+#  define CF_SYSTEM_GROUP "system"
+#else
+#  define CF_SYSTEM_GROUP "root"
+#endif
 #endif // CFENGINE_DEFINITIONS_H
diff --git a/tests/load/Makefile.am b/tests/load/Makefile.am
index 03edd33b19..1a08ba3d74 100644
--- a/tests/load/Makefile.am
+++ b/tests/load/Makefile.am
@@ -50,7 +50,7 @@ check_PROGRAMS = db_load lastseen_load lastseen_threaded_load
 
 
 db_load_SOURCES = db_load.c
-db_load_LDADD = ../unit/libdb.la
+db_load_LDADD = ../unit/libdb.la ../../libpromises/libpromises.la
 
 
 lastseen_load_SOURCES = lastseen_load.c \
diff --git a/tests/unit/Makefile.am b/tests/unit/Makefile.am
index e4bd304e58..712e430d7f 100644
--- a/tests/unit/Makefile.am
+++ b/tests/unit/Makefile.am
@@ -319,7 +319,7 @@ db_test_LDADD = libtest.la ../../libpromises/libpromises.la
 
 db_concurrent_test_SOURCES = db_concurrent_test.c
 #db_concurrent_test_CPPFLAGS = $(libdb_la_CPPFLAGS)
-db_concurrent_test_LDADD = libdb.la
+db_concurrent_test_LDADD = libdb.la ../../libpromises/libpromises.la
 
 lastseen_test_SOURCES = lastseen_test.c \
 	../../libpromises/item_lib.c \