diff -urNp Linux-PAM-1.0.91.orig/configure.in Linux-PAM-1.0.91/configure.in
--- Linux-PAM-1.0.91.orig/configure.in	2009-06-29 13:56:15.000000000 -0400
+++ Linux-PAM-1.0.91/configure.in	2009-08-31 15:48:20.000000000 -0400
@@ -527,6 +527,9 @@ AC_SUBST([HAVE_KEY_MANAGEMENT], $HAVE_KE
 
 AM_CONDITIONAL([HAVE_KEY_MANAGEMENT], [test "$have_key_syscalls" = 1])
 
+dnl Check for capabilities library
+LIBCAP_NG_PATH
+
 dnl Files to be created from when we run configure
 AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
 	libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
diff -urNp Linux-PAM-1.0.91.orig/m4/cap-ng.m4 Linux-PAM-1.0.91/m4/cap-ng.m4
--- Linux-PAM-1.0.91.orig/m4/cap-ng.m4	1969-12-31 19:00:00.000000000 -0500
+++ Linux-PAM-1.0.91/m4/cap-ng.m4	2009-08-31 15:48:43.000000000 -0400
@@ -0,0 +1,40 @@
+# libcap-ng.m4 - Checks for the libcap-ng support
+# 	Copyright (c) 2009 Steve Grubb sgrubb@redhat.com
+#
+AC_DEFUN([LIBCAP_NG_PATH],
+[
+  AC_ARG_WITH(libcap-ng,
+    [  --with-libcap-ng=[auto/yes/no]  Add Libcap-ng support [default=auto]],,
+    with_libcap_ng=auto)
+
+  # Check for Libcap-ng API
+  #
+  # libcap-ng detection
+
+  if test x$with_libcap_ng = xno ; then
+      have_libcap_ng=no;
+  else
+      # Start by checking for header file
+      AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)
+
+      # See if we have libcap-ng library
+      AC_CHECK_LIB(cap-ng, capng_clear,
+	         CAPNG_LDADD=-lcap-ng,)
+
+      # Check results are usable
+      if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
+         AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
+      fi
+      if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
+         AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
+      fi
+  fi
+  AC_SUBST(CAPNG_LDADD)
+  AC_MSG_CHECKING(whether to use libcap-ng)
+  if test x$CAPNG_LDADD != x ; then
+      AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
+      AC_MSG_RESULT(yes)
+  else
+      AC_MSG_RESULT(no)
+  fi
+])
diff -urNp Linux-PAM-1.0.91.orig/modules/pam_unix/Makefile.am Linux-PAM-1.0.91/modules/pam_unix/Makefile.am
--- Linux-PAM-1.0.91.orig/modules/pam_unix/Makefile.am	2009-06-29 13:56:17.000000000 -0400
+++ Linux-PAM-1.0.91/modules/pam_unix/Makefile.am	2009-08-31 15:48:20.000000000 -0400
@@ -50,7 +50,7 @@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_
 	passverify.c
 unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
 unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ 
-unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
+unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ @CAPNG_LDADD@
 
 unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
 	passverify.c
diff -urNp Linux-PAM-1.0.91.orig/modules/pam_unix/unix_chkpwd.c Linux-PAM-1.0.91/modules/pam_unix/unix_chkpwd.c
--- Linux-PAM-1.0.91.orig/modules/pam_unix/unix_chkpwd.c	2009-06-29 13:56:17.000000000 -0400
+++ Linux-PAM-1.0.91/modules/pam_unix/unix_chkpwd.c	2009-08-31 15:48:20.000000000 -0400
@@ -28,6 +28,9 @@
 #ifdef HAVE_LIBAUDIT
 #include <libaudit.h>
 #endif
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
 
 #include <security/_pam_types.h>
 #include <security/_pam_macros.h>
@@ -131,6 +134,12 @@ int main(int argc, char *argv[])
 	 */
 	if (getuid() == 0) {
 	  user=argv[1];
+#ifdef HAVE_LIBCAP_NG
+	  capng_clear(CAPNG_SELECT_BOTH);
+	  capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+			CAP_DAC_OVERRIDE, CAP_SETUID, -1);
+	  capng_apply(CAPNG_SELECT_BOTH);
+#endif
 	}
 	else {
 	  user = getuidname(getuid());