diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile
--- iputils-s20101006/Makefile.drop_caps	2010-11-08 14:49:53.334577997 +0100
+++ iputils-s20101006/Makefile	2010-11-08 14:49:53.342599113 +0100
@@ -13,7 +13,7 @@ ADDLIB=
 CC=gcc
 # What a pity, all new gccs are buggy and -Werror does not work. Sigh.
 CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
-DEFINES += -D_GNU_SOURCE
+DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES
 CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
 
 IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
@@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o
 arping: arping.o
 
 ping: ping.o ping_common.o
-	$(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
+	$(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping
 
 ping6: ping6.o ping_common.o
-	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6
 
 ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
 tftpd.o tftpsubs.o: tftp.h
diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c
--- iputils-s20101006/ping6.c.drop_caps	2010-11-08 14:49:53.338587611 +0100
+++ iputils-s20101006/ping6.c	2010-12-15 16:06:16.949794002 +0100
@@ -73,6 +73,10 @@ char copyright[] =
 #include <netinet/icmp6.h>
 #include <resolv.h>
 
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
 #include "ping6_niquery.h"
 #include "in6_flowlabel.h"
 
@@ -533,6 +537,9 @@ int main(int argc, char *argv[])
 	int csum_offset, sz_opt;
 #endif
 	static uint32_t scope_id = 0;
+#ifdef HAVE_CAPABILITIES
+	cap_t caps;
+#endif
 
 	icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
 	socket_errno = errno;
@@ -543,6 +550,16 @@ int main(int argc, char *argv[])
 		exit(-1);
 	}
 
+#ifdef HAVE_CAPABILITIES
+	/* drop all capabilities unconditionally so even root isn't special anymore */
+	caps = cap_init();
+	if (cap_set_proc(caps) < 0) {
+		perror("ping: cap_set_proc");
+		exit(-1);
+	}
+	cap_free(caps);
+#endif
+
 	source.sin6_family = AF_INET6;
 	memset(&firsthop, 0, sizeof(firsthop));
 	firsthop.sin6_family = AF_INET6;
diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c
--- iputils-s20101006/ping.c.drop_caps	2010-11-08 14:49:53.314577272 +0100
+++ iputils-s20101006/ping.c	2010-12-15 16:05:52.113794002 +0100
@@ -66,6 +66,10 @@ char copyright[] =
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
 
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
 #ifndef ICMP_FILTER
 #define ICMP_FILTER	1
 struct icmp_filter {
@@ -125,6 +129,9 @@ main(int argc, char **argv)
 	u_char *packet;
 	char *target, hnamebuf[MAX_HOSTNAMELEN];
 	char rspace[3 + 4 * NROUTES + 1];	/* record route space */
+#ifdef HAVE_CAPABILITIES
+	cap_t caps;
+#endif
 
 	char *idn;
 	int rc = 0;
@@ -139,6 +146,16 @@ main(int argc, char **argv)
 		exit(-1);
 	}
 
+#ifdef HAVE_CAPABILITIES
+	/* drop all capabilities unconditionally so even root isn't special anymore */
+	caps = cap_init();
+	if (cap_set_proc(caps) < 0) {
+		perror("ping: cap_set_proc");
+		exit(-1);
+	}
+	cap_free(caps);
+#endif
+
 	source.sin_family = AF_INET;
 
 	preload = 1;