diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
index cfc5f775800..34c3e7b3ab9 100644
--- a/contrib/init/bitcoind.service
+++ b/contrib/init/bitcoind.service
@@ -5,8 +5,9 @@
 # See "man systemd.service" for details.
 
 # Note that almost all daemon options could be specified in
-# /etc/bitcoin/bitcoin.conf, except for those explicitly specified as arguments
-# in ExecStart=
+# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly
+# specified as arguments in ExecStart= will override those in the
+# config file.
 
 [Unit]
 Description=Bitcoin daemon
@@ -18,6 +19,10 @@ ExecStart=/usr/bin/bitcoind -daemon \
                             -conf=/etc/bitcoin/bitcoin.conf \
                             -datadir=/var/lib/bitcoind
 
+# Make sure the config directory is readable by the service user
+PermissionsStartOnly=true
+ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
+
 # Process management
 ####################
 
@@ -53,6 +58,9 @@ PrivateTmp=true
 # Mount /usr, /boot/ and /etc read-only for the process.
 ProtectSystem=full
 
+# Deny access to /home, /root and /run/user
+ProtectHome=true
+
 # Disallow the process and all of its children to gain
 # new privileges through execve().
 NoNewPrivileges=true
diff --git a/doc/init.md b/doc/init.md
index a6c9bb94d84..87e939c636d 100644
--- a/doc/init.md
+++ b/doc/init.md
@@ -59,11 +59,11 @@ Data directory:      `/var/lib/bitcoind`
 PID file:            `/var/run/bitcoind/bitcoind.pid` (OpenRC and Upstart) or `/run/bitcoind/bitcoind.pid` (systemd)
 Lock file:           `/var/lock/subsys/bitcoind` (CentOS)  
 
-The configuration file, PID directory (if applicable) and data directory
-should all be owned by the bitcoin user and group.  It is advised for security
-reasons to make the configuration file and data directory only readable by the
-bitcoin user and group.  Access to bitcoin-cli and other bitcoind rpc clients
-can then be controlled by group membership.
+The PID directory (if applicable) and data directory should both be owned by the
+bitcoin user and group. It is advised for security reasons to make the
+configuration file and data directory only readable by the bitcoin user and
+group. Access to bitcoin-cli and other bitcoind rpc clients can then be
+controlled by group membership.
 
 NOTE: When using the systemd .service file, the creation of the aforementioned
 directories and the setting of their permissions is automatically handled by