diff --git a/tools/aconfig/aflags/Android.bp b/tools/aconfig/aflags/Android.bp
index c65da97089..b36aa34c64 100644
--- a/tools/aconfig/aflags/Android.bp
+++ b/tools/aconfig/aflags/Android.bp
@@ -12,6 +12,7 @@ rust_defaults {
         "libaconfig_protos",
         "libanyhow",
         "libclap",
+        "libnix",
         "libprotobuf",
         "libregex",
     ],
diff --git a/tools/aconfig/aflags/Cargo.toml b/tools/aconfig/aflags/Cargo.toml
index 3350a6cd52..6a08da6745 100644
--- a/tools/aconfig/aflags/Cargo.toml
+++ b/tools/aconfig/aflags/Cargo.toml
@@ -10,3 +10,4 @@ clap = { version = "4", features = ["derive"] }
 protobuf = "3.2.0"
 regex = "1.10.3"
 aconfig_protos = { path = "../aconfig_protos" }
+nix = { version = "0.28.0", features = ["user"] }
diff --git a/tools/aconfig/aflags/src/main.rs b/tools/aconfig/aflags/src/main.rs
index 30275e38d4..febd56792c 100644
--- a/tools/aconfig/aflags/src/main.rs
+++ b/tools/aconfig/aflags/src/main.rs
@@ -16,13 +16,13 @@
 
 //! `aflags` is a device binary to read and write aconfig flags.
 
-use anyhow::{anyhow, Result};
+use anyhow::{anyhow, ensure, Result};
 use clap::Parser;
 
 mod device_config_source;
 use device_config_source::DeviceConfigSource;
 
-#[derive(Clone)]
+#[derive(Clone, PartialEq)]
 enum FlagPermission {
     ReadOnly,
     ReadWrite,
@@ -168,16 +168,15 @@ fn format_flag_row(flag: &Flag, info: &PaddingInfo) -> String {
 }
 
 fn set_flag(qualified_name: &str, value: &str) -> Result<()> {
+    ensure!(nix::unistd::Uid::current().is_root(), "must be root to mutate flags");
+
     let flags_binding = DeviceConfigSource::list_flags()?;
     let flag = flags_binding.iter().find(|f| f.qualified_name() == qualified_name).ok_or(
         anyhow!("no aconfig flag '{qualified_name}'. Does the flag have an .aconfig definition?"),
     )?;
 
-    if let FlagPermission::ReadOnly = flag.permission {
-        return Err(anyhow!(
-            "could not write flag '{qualified_name}', it is read-only for the current release configuration.",
-        ));
-    }
+    ensure!(flag.permission == FlagPermission::ReadWrite,
+            format!("could not write flag '{qualified_name}', it is read-only for the current release configuration."));
 
     DeviceConfigSource::override_flag(&flag.namespace, qualified_name, value)?;