diff --git a/ChangeLog b/ChangeLog
index 385885c3d..389a1461b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2002-07-02  Richard Frith-Macdonald <rfm@gnu.org>
+
+	* Tools/gdomap.c: Don't write to pidfile until *after* setuid away
+	from root. Bug reported by James Kehl <mkehl@gil.com.au>
+
 2002-07-01  Richard Frith-Macdonald <rfm@gnu.org>
 
 	* Source/Additions/GSMime.m: Correct test for multipart content when
diff --git a/Tools/gdomap.c b/Tools/gdomap.c
index ecc7550e2..ffada4f11 100644
--- a/Tools/gdomap.c
+++ b/Tools/gdomap.c
@@ -4466,7 +4466,7 @@ printf(
 	}
     }
 
-  if (pidfile) {
+  if (pidfile)
     {
       FILE	*fptr = fopen(pidfile, "at");
 
@@ -4479,7 +4479,6 @@ printf(
       fprintf(fptr, "%d\n", (int) getpid());
       fclose(fptr);
     }
-  }
 
   /*
    *	Ensure we don't have any open file descriptors which may refer
@@ -4574,6 +4573,21 @@ printf(
       setuid (uid);
     }
 #endif /* __MINGW__ */
+
+  if (pidfile)
+    {
+      FILE	*fptr = fopen(pidfile, "at");
+
+      if (fptr == 0)
+	{
+	  sprintf(ebuf, "Unable to open pid file - '%s'", pidfile);
+	  gdomap_log(LOG_CRIT);
+	  exit(1);
+	}
+      fprintf(fptr, "%d\n", (int) getpid());
+      fclose(fptr);
+    }
+
 #if	!defined(__svr4__)
   /*
    * As another level of paranoia - restrict this process to /tmp