diff -urp dnsmasq-2.48.orig/src/dnsmasq.c dnsmasq-2.48/src/dnsmasq.c
--- dnsmasq-2.48.orig/src/dnsmasq.c	2009-08-16 07:08:44.000000000 -0400
+++ dnsmasq-2.48/src/dnsmasq.c	2009-08-16 07:26:58.000000000 -0400
@@ -374,6 +374,13 @@ int main (int argc, char **argv)
       if (ent_pw && ent_pw->pw_uid != 0)
 	{     
 #if defined(HAVE_LINUX_NETWORK)
+#if defined(PR_CAPBSET_DROP)
+	  int i, rc=0;
+	  for(i=0; i<=CAP_LAST_CAP && rc == 0; i++) {
+	    if (i != CAP_NET_ADMIN && i != CAP_NET_RAW && i != CAP_SETUID)
+	      rc = prctl(PR_CAPBSET_DROP, i);
+	  }
+#endif
 	  /* On linux, we keep CAP_NETADMIN (for ARP-injection) and
 	     CAP_NET_RAW (for icmp) if we're doing dhcp */
 	  data->effective = data->permitted = data->inheritable =