--- tcpdump-3.9.7/tcpdump.c.droproot	2006-09-19 21:07:57.000000000 +0200

+++ tcpdump-3.9.7/tcpdump.c	2007-07-24 16:15:54.000000000 +0200

@@ -958,6 +958,11 @@ main(int argc, char **argv)

 		(void)setsignal(SIGHUP, oldhandler);

 #endif /* WIN32 */

+	if (Cflag != 0 && (getuid() == 0 || geteuid() == 0)) {

+		if (username || chroot_dir)

+			droproot(username, chroot_dir);

+	}

+

 	if (pcap_setfilter(pd, &fcode) < 0)

 		error("%s", pcap_geterr(pd));

 	if (WFileName) {

@@ -999,7 +1004,7 @@ main(int argc, char **argv)

 	 * We cannot do this earlier, because we want to be able to open

 	 * the file (if done) for writing before giving up permissions.

 	 */

-	if (getuid() == 0 || geteuid() == 0) {

+	if (Cflag == 0 && (getuid() == 0 || geteuid() == 0)) {

 		if (username || chroot_dir)

 			droproot(username, chroot_dir);

 	}

--- tcpdump-3.9.7/tcpdump.1.in.droproot	2007-07-24 16:15:54.000000000 +0200

+++ tcpdump-3.9.7/tcpdump.1.in	2007-07-24 16:15:54.000000000 +0200

@@ -264,6 +264,9 @@ have the name specified with the

 flag, with a number after it, starting at 1 and continuing upward.

 The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,

 not 1,048,576 bytes).

+

+Note that when used with \fB\-Z\fR option (enabled by default), privileges

+are dropped before opening first savefile.

 .TP

 .B \-d

 Dump the compiled packet-matching code in a human readable form to

@@ -592,7 +595,9 @@ Drops privileges (if root) and changes u

 and the group ID to the primary group of

 .IR user .

 .IP

-This behavior can also be enabled by default at compile time.

+This behavior is enabled by default (\fB\-Z tcpdump\fR), and can

+be disabled by \fB\-Z root\fR.

+

 .IP "\fI expression\fP"

 .RS

 selects which packets will be dumped.