diff -uNrb -x CVS -x '*~' -x '*.o' portmap-5.orig/portmap.8 portmap-5.chroot/portmap.8
--- portmap-5.orig/portmap.8	2004-09-30 22:39:22.000000000 +0000
+++ portmap-5.chroot/portmap.8	2004-10-01 02:23:34.000000000 +0000
@@ -46,6 +46,7 @@
 .Sh SYNOPSIS
 .Nm portmap
 .Op Fl d
+.Op Fl t Ar dir
 .Op Fl v
 .Sh DESCRIPTION
 .Nm Portmap
@@ -96,6 +97,16 @@
 from running as a daemon,
 and causes errors and debugging information
 to be printed to the standard error output.
+.It Fl t Ar dir
+(chroot) tell 
+.Nm portmap 
+to 
+.Xr chroot 2
+into 
+.Ar dir .
+.Ar dir 
+should be empty, not writeable by the daemon user, and preferably on a 
+filesystem mounted read-only, noexec, nodev, and nosuid.
 .It Fl v
 (verbose) run
 .Nm portmap
diff -uNrb -x CVS -x '*~' -x '*.o' portmap-5.orig/portmap.c portmap-5.chroot/portmap.c
--- portmap-5.orig/portmap.c	2004-09-30 22:39:22.000000000 +0000
+++ portmap-5.chroot/portmap.c	2004-10-02 21:03:52.000000000 +0000
@@ -163,21 +163,27 @@
 	struct sockaddr_in addr;
 	int len = sizeof(struct sockaddr_in);
 	register struct pmaplist *pml;
+	char *chroot_path = NULL;
 
-	while ((c = getopt(argc, argv, "dv")) != EOF) {
+	while ((c = getopt(argc, argv, "dt:v")) != EOF) {
 		switch (c) {
 
 		case 'd':
 			debugging = 1;
 			break;
 
+		case 't':
+			chroot_path = optarg;
+			break;
+
 		case 'v':
 			verboselog = 1;
 			break;
 
 		default:
-			(void) fprintf(stderr, "usage: %s [-dv]\n", argv[0]);
+			(void) fprintf(stderr, "usage: %s [-dtv]\n", argv[0]);
 			(void) fprintf(stderr, "-d: debugging mode\n");
+			(void) fprintf(stderr, "-t dir: chroot into dir\n");
 			(void) fprintf(stderr, "-v: verbose logging\n");
 			exit(1);
 		}
@@ -189,10 +195,12 @@
 	}
 
 #ifdef LOG_MAIL
-	openlog("portmap", debugging ? LOG_PID | LOG_PERROR : LOG_PID,
+	openlog("portmap", 
+		debugging ? LOG_PID | LOG_NDELAY | LOG_PERROR : LOG_PID | LOG_NDELAY,
 	    FACILITY);
 #else
-	openlog("portmap", debugging ? LOG_PID | LOG_PERROR : LOG_PID);
+	openlog("portmap", 
+		debugging ? LOG_PID | LOG_NDELAY | LOG_PERROR : LOG_PID | LOG_NDELAY);
 #endif
 
 	if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
@@ -286,6 +294,14 @@
 	(void)svc_register(xprt, PMAPPROG, PMAPVERS, reg_service, FALSE);
 
 	/* additional initializations */
+	if (chroot_path)
+	{
+		if (-1 == chroot(chroot_path))
+		{
+			syslog(LOG_ERR, "couldn't do chroot");
+			exit(1);
+		}
+	}
 	check_startup();
 #ifdef IGNORE_SIGCHLD			/* Lionel Cons <cons@dxcern.cern.ch> */
 	(void)signal(SIGCHLD, SIG_IGN);