diff --git a/configure.in b/configure.in
index eae4c49c3e..2cc9c44505 100644
--- a/configure.in
+++ b/configure.in
@@ -1200,6 +1200,7 @@ AC_SUBST(STRPTIME_C)
 AC_SUBST(STRPTIME_O)
 
 AC_CHECK_FUNCS(getprotobynumber gethostbyname2)
+AC_CHECK_FUNCS(issetugid)
 
 dnl blank for now, but will be used in future
 AC_SUBST(ethereal_SUBDIRS)
diff --git a/epan/Makefile.common b/epan/Makefile.common
index 013622241f..1f27c3d84f 100644
--- a/epan/Makefile.common
+++ b/epan/Makefile.common
@@ -64,6 +64,7 @@ LIBETHEREAL_SRC = 		\
 	packet.c		\
 	plugins.c		\
 	prefs.c			\
+	privileges.c		\
 	proto.c			\
 	radius_dict.c		\
 	range.c			\
@@ -152,6 +153,7 @@ LIBETHEREAL_INCLUDES = 		\
 	ppptypes.h		\
 	prefs.h			\
 	prefs-int.h		\
+	privileges.h		\
 	proto.h			\
 	ptvcursor.h		\
 	range.h			\
diff --git a/epan/plugins.c b/epan/plugins.c
index eaa380cab8..83c7e8998f 100644
--- a/epan/plugins.c
+++ b/epan/plugins.c
@@ -49,6 +49,7 @@
 #endif
 
 #include "filesystem.h"
+#include "privileges.h"
 #include <wiretap/file_util.h>
 #include "report_err.h"
 
@@ -415,11 +416,18 @@ init_plugins(const char *plugin_dir)
 	g_free(datafile_dir);
 
 	/*
-	 * Scan the users plugin directory.
+	 * If the program wasn't started with special privileges,
+	 * scan the users plugin directory.  (Even if we relinquish
+	 * them, plugins aren't safe unless we've *permanently*
+	 * relinquished them, and we can't do that in Ethereal as,
+	 * if we need privileges to start capturing, we'd need to
+	 * reclaim them before each time we start capturing.)
 	 */
-	datafile_dir = get_plugins_pers_dir();
-	plugins_scan_dir(datafile_dir);
-	g_free(datafile_dir);
+	if (!started_with_special_privs()) {
+	    datafile_dir = get_plugins_pers_dir();
+	    plugins_scan_dir(datafile_dir);
+	    g_free(datafile_dir);
+	}
     }
 }
 
diff --git a/epan/privileges.c b/epan/privileges.c
new file mode 100644
index 0000000000..8739cb9fba
--- /dev/null
+++ b/epan/privileges.c
@@ -0,0 +1,95 @@
+/* privileges.c
+ * Routines for handling privileges, e.g. set-UID and set-GID on UNIX.
+ *
+ * $Id$
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 2006 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <glib.h>
+
+#include "privileges.h"
+
+#ifdef _WIN32
+
+/*
+ * Called when the program starts, to save whatever credential information
+ * we'll need later.
+ */
+void
+get_credential_info(void)
+{
+}
+
+/*
+ * For now, we say the program wasn't started with special privileges.
+ * There are ways of running programs with credentials other than those
+ * for the session in which it's run, but I don't know whether that'd be
+ * done with Ethereal/Tethereal or not.
+ */
+gboolean
+started_with_special_privs(void)
+{
+	return FALSE;
+}
+
+#else /* _WIN32 */
+
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+static uid_t ruid, euid;
+static gid_t rgid, egid;
+
+/*
+ * Called when the program starts, to save whatever credential information
+ * we'll need later.
+ * That'd be the real and effective UID and GID on UNIX.
+ */
+void
+get_credential_info(void)
+{
+	ruid = getuid();
+	euid = geteuid();
+	rgid = getgid();
+	egid = getegid();
+}
+
+/*
+ * "Started with special privileges" means "started out set-UID or set-GID".
+ */
+gboolean
+started_with_special_privs(void)
+{
+#ifdef HAVE_ISSETUGID
+	return issetugid();
+#else
+	return (ruid != euid || rgid != egid);
+#endif
+}
+#endif /* _WIN32 */
diff --git a/epan/privileges.h b/epan/privileges.h
new file mode 100644
index 0000000000..71b7d535c7
--- /dev/null
+++ b/epan/privileges.h
@@ -0,0 +1,34 @@
+/* privileges.h
+ * Declarations of routines for handling privileges.
+ *
+ * $Id$
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 2006 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+/*
+ * Called when the program starts, to save whatever credential information
+ * we'll need later.
+ */
+extern void get_credential_info(void);
+
+/*
+ * Was this program started with special privileges?
+ */
+extern gboolean started_with_special_privs(void);
diff --git a/gtk/main.c b/gtk/main.c
index 758d886b82..b03473c50c 100644
--- a/gtk/main.c
+++ b/gtk/main.c
@@ -54,6 +54,7 @@
 
 #include <epan/epan.h>
 #include <epan/filesystem.h>
+#include <epan/privileges.h>
 #include <epan/epan_dissect.h>
 #include <epan/timestamp.h>
 #include <epan/packet.h>
@@ -1912,6 +1913,11 @@ main(int argc, char *argv[])
   char optstring[sizeof(OPTSTRING_INIT) + sizeof(OPTSTRING_CHILD) + sizeof(OPTSTRING_WIN32) - 2] =
     OPTSTRING_INIT OPTSTRING_WIN32;
 
+  /*
+   * Get credential information for later use.
+   */
+  get_credential_info();
+
   /* initialize memory allocation subsystem */
   ep_init_chunk();
   se_init_chunk();
diff --git a/tethereal.c b/tethereal.c
index 2243e5c46e..b2d769e187 100644
--- a/tethereal.c
+++ b/tethereal.c
@@ -62,6 +62,7 @@
 #include <glib.h>
 #include <epan/epan.h>
 #include <epan/filesystem.h>
+#include <epan/privileges.h>
 #include <wiretap/file_util.h>
 
 #include "globals.h"
@@ -694,6 +695,11 @@ main(int argc, char *argv[])
 
   static const char    optstring[] = OPTSTRING_INIT OPTSTRING_WIN32;
 
+  /*
+   * Get credential information for later use.
+   */
+  get_credential_info();
+
   /* nothing more than the standard GLib handler, but without a warning */
   log_flags = 
 		    G_LOG_LEVEL_ERROR|