diff --git a/lib/cask/artifact/base.rb b/lib/cask/artifact/base.rb
index 5df423dcf10..f0a25664174 100644
--- a/lib/cask/artifact/base.rb
+++ b/lib/cask/artifact/base.rb
@@ -45,7 +45,7 @@ class Cask::Artifact::Base
     end
 
     # key sanity
-    permitted_keys = [:args, :input, :executable, :must_succeed, :sudo, :print_stdout, :print_stderr]
+    permitted_keys = [:args, :input, :executable, :must_succeed, :sudo, :bsexec, :print_stdout, :print_stderr]
     unknown_keys = arguments.keys - permitted_keys
     unless unknown_keys.empty?
       opoo %Q{Unknown arguments to #{description} -- #{unknown_keys.inspect} (ignored). Running "brew update && brew upgrade brew-cask && brew cleanup && brew cask cleanup" will likely fix it.}
diff --git a/lib/cask/container/dmg.rb b/lib/cask/container/dmg.rb
index 550f47d5f7a..2110c334f71 100644
--- a/lib/cask/container/dmg.rb
+++ b/lib/cask/container/dmg.rb
@@ -32,6 +32,8 @@ class Cask::Container::Dmg < Cask::Container::Base
 
   def mount!
     plist = @command.run('/usr/bin/hdiutil',
+      # :startup may not be the minimum necessary privileges
+      :bsexec => :startup,
       # realpath is a failsafe against unusual filenames
       :args => %w[mount -plist -nobrowse -readonly -noidme -mountrandom /tmp] + [Pathname.new(@path).realpath],
       :input => %w[y]
@@ -58,11 +60,15 @@ class Cask::Container::Dmg < Cask::Container::Base
       mountpath = Pathname.new(mount).realpath
       next unless mountpath.exist?
       @command.run('/usr/sbin/diskutil',
+                   # :startup may not be the minimum necessary privileges
+                   :bsexec => :startup,
                    :args => ['eject', mountpath],
                    :print_stderr => false)
       next unless mountpath.exist?
       sleep 1
       @command.run('/usr/sbin/diskutil',
+                   # :startup may not be the minimum necessary privileges
+                   :bsexec => :startup,
                    :args => ['eject', mountpath],
                    :print_stderr => false)
       next unless mountpath.exist?
diff --git a/lib/cask/system_command.rb b/lib/cask/system_command.rb
index 7dc77aac070..0ed8bd281ff 100644
--- a/lib/cask/system_command.rb
+++ b/lib/cask/system_command.rb
@@ -40,12 +40,14 @@ class Cask::SystemCommand
   end
 
   def self._process_options(executable, options)
-    options.assert_valid_keys :input, :print_stdout, :print_stderr, :args, :must_succeed, :sudo
+    options.assert_valid_keys :input, :print_stdout, :print_stderr, :args, :must_succeed, :sudo, :bsexec
     sudo_prefix = %w{/usr/bin/sudo -E --}
+    bsexec_prefix = [ '/bin/launchctl', 'bsexec',  options[:bsexec]  == :startup ? '/' : options[:bsexec] ]
     command = [executable]
-    options[:print_stderr] = true  if !options.key?(:print_stderr)
-    command.unshift(*sudo_prefix)  if  options[:sudo]
-    command.concat(options[:args]) if  options.key?(:args) and !options[:args].empty?
+    options[:print_stderr] = true   if !options.key?(:print_stderr)
+    command.unshift(*bsexec_prefix) if  options[:bsexec]
+    command.unshift(*sudo_prefix)   if  options[:sudo]
+    command.concat(options[:args])  if  options.key?(:args) and !options[:args].empty?
     command
   end