diff --git a/website/source/docs/agent/options.html.markdown b/website/source/docs/agent/options.html.markdown
index 2ecc5e2db7..959d41d511 100644
--- a/website/source/docs/agent/options.html.markdown
+++ b/website/source/docs/agent/options.html.markdown
@@ -244,8 +244,10 @@ definitions support being updated during a reload.
Both `rpc` and `http` support binding to Unix domain sockets. A socket can be
specified in the form `unix:///path/to/socket`. A new domain socket will be
created at the given path. If the specified file path already exists, Consul
- will refuse to start and return an error. For information on how to secure
- socket file permissions, refer to the manual page for your operating system.
+ will attempt to clear the file and create the domain socket in its place.
+
+ The permissions of the socket file are tunable via the `unix_sockets` config
+ construct.
When running Consul agent commands against Unix socket interfaces, use the
`-rpc-addr` or `-http-addr` arguments to specify the path to the socket. You
@@ -429,6 +431,17 @@ definitions support being updated during a reload.
* `ui_dir` - Equivalent to the `-ui-dir` command-line flag.
+* `unix_sockets` - This allows tuning the ownership and permissions of the
+ Unix domain socket files created by Consul. Domain sockets are only used if
+ the HTTP or RPC addresses are configured with the `unix://` prefix. The
+ following options are valid within this construct, and apply globally to all
+ sockets created by Consul:
+
+ * `user` - The name or ID of the user who will own the socket file.
+ * `group` - The group ID ownership of the socket file. Note that this option
+ currently only supports numeric ID's.
+ * `mode` - The permission bits to set on the file.
+
* `verify_incoming` - If set to True, Consul requires that all incoming
connections make use of TLS, and that the client provides a certificate signed
by the Certificate Authority from the `ca_file`. By default, this is false, and