server: Introduce privilege separation.
During initialization, we fork off a child which retains its root
privileges, and maintain communication with it via a Unix-domain socket
pair. To open a new tunnel, we send it a request and it responds by
passing back the appropriate file descriptor.
The helper process running as root is implemented in a separate program,
tripe-privhelper. This is done (a) to reduce memory use, (b) to trigger
close-on-exec behaviour and (c) to provide a clear boundary in the
source code for the parts which still run with superuser privileges.
This entails moving our tunnel-open functions into a separate program,
and doing the necessary build-system hacking. The changes to existing
code aren't as invasive as they at first appear.
~mdw / tripe / commit