diff --git a/exec.go b/exec.go
index 01c4db8d..5696ce6e 100644
--- a/exec.go
+++ b/exec.go
@@ -213,6 +213,9 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
 		p.User.UID = uint32(uid)
 	}
 	for _, gid := range context.Int64Slice("additional-gids") {
+		if gid < 0 {
+			return nil, fmt.Errorf("additional-gids must be a positive number %d", gid)
+		}
 		p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid))
 	}
 	return p, nil
diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats
index b1f86a38..5ad6c65c 100644
--- a/tests/integration/exec.bats
+++ b/tests/integration/exec.bats
@@ -114,6 +114,8 @@ function teardown() {
 }
 
 @test "runc exec --additional-gids" {
+  requires root
+
   # run busybox detached
   runc run -d --console-socket $CONSOLE_SOCKET test_busybox
   [ "$status" -eq 0 ]