diff --git a/includes/dhcpd.h b/includes/dhcpd.h
index 378459b..e7ed5a3 100644
--- a/includes/dhcpd.h
+++ b/includes/dhcpd.h
@@ -2033,6 +2033,11 @@ extern const char *path_dhcpd_pid;
 extern int dhcp_max_agent_option_packet_length;
 extern struct eventqueue *rw_queue_empty;
 
+#if defined (PARANOIA)
+extern uid_t set_uid;
+extern gid_t set_gid;
+#endif
+
 int main(int, char **);
 void postconf_initialization(int);
 void postdb_startup(void);
diff --git a/server/db.c b/server/db.c
index d4d42fe..5238ed8 100644
--- a/server/db.c
+++ b/server/db.c
@@ -1125,6 +1125,22 @@ int new_lease_file ()
 		log_error ("Can't create new lease file: %m");
 		return 0;
 	}
+
+#if defined (PARANOIA)
+	/*
+	 * If we are currently root and plan to change the
+	 * uid and gid change the file information so we
+	 * can manipulate it later, after we've changed
+	 * our group and user (that is dropped privileges.)
+	 */
+	if ((set_uid != 0) && (geteuid() == 0) &&
+	    (set_gid != 0) && (getegid() == 0)) {
+		if (fchown(db_fd, set_uid, set_gid)) {
+			log_fatal ("Can't chown new lease file: %m");
+		}
+	}
+#endif /* PARANOIA */
+
 	if ((new_db_file = fdopen(db_fd, "we")) == NULL) {
 		log_error("Can't fdopen new lease file: %m");
 		close(db_fd);
diff --git a/server/dhcpd.8 b/server/dhcpd.8
index f4b13dc..8cf756a 100644
--- a/server/dhcpd.8
+++ b/server/dhcpd.8
@@ -78,6 +78,18 @@ dhcpd - Dynamic Host Configuration Protocol Server
 .B --no-pid
 ]
 [
+.B -user
+.I user
+]
+[
+.B -group
+.I group
+]
+[
+.B -chroot
+.I dir
+]
+[
 .B -tf
 .I trace-output-file
 ]
@@ -249,6 +261,26 @@ for correct syntax, but will not attempt to perform any network
 operations.  This can be used to test a new lease file
 automatically before installing it.
 .TP
+.BI \-user \ user
+Setuid to user after completing privileged operations,
+such as creating sockets that listen on privileged ports.
+This option is only available if the code was compiled
+with the PARANOIA patch (./configure --enable-paranoia).
+.TP
+.BI \-group \ group
+Setgid to group after completing privileged operations,
+such as creating sockets that listen on privileged ports.
+This option is only available if the code was compiled
+with the PARANOIA patch (./configure --enable-paranoia).
+.TP
+.BI \-chroot \ dir
+Chroot to directory.  This may occur before or after
+reading the configuration files depending on whether
+the code was compiled with the EARLY_CHROOT option
+enabled (./configure --enable-early-chroot).
+This option is only available if the code was compiled
+with the PARANOIA patch (./configure --enable-paranoia).
+.TP
 .BI \-tf \ tracefile
 Specify a file into which the entire startup state of the server and
 all the transactions it processes are logged.  This can be
diff --git a/server/dhcpd.c b/server/dhcpd.c
index ebb6d3e..ca50178 100644
--- a/server/dhcpd.c
+++ b/server/dhcpd.c
@@ -50,6 +50,10 @@ static const char url [] =
 #  define group real_group 
 #    include <grp.h>
 #  undef group
+
+/* global values so db.c can look at them */
+uid_t set_uid = 0;
+gid_t set_gid = 0;
 #endif /* PARANOIA */
 
 #ifndef UNIT_TEST
@@ -180,9 +184,6 @@ main(int argc, char **argv) {
 	char *set_user   = 0;
 	char *set_group  = 0;
 	char *set_chroot = 0;
-
-	uid_t set_uid = 0;
-	gid_t set_gid = 0;
 #endif /* PARANOIA */
 
         /* Make sure that file descriptors 0 (stdin), 1, (stdout), and