Drop privileges after writing the pidfile.

Otherwise we may not be able to write it (e.g., to /var/run) because
of file access restrictions.

diff --git a/fw.c b/fw.c
index f626c6e361144d213cbf8304a93cc98ba7eefd1d..9c29808e9d1ba76b0f27a65e83742faea419f371 100644 (file)
--- a/fw.c
+++ b/fw.c
@@ -679,20 +679,6 @@ int main(int argc, char *argv[])
     sig_add(&s_hup, SIGHUP, fw_reload, 0);
   }
 
     sig_add(&s_hup, SIGHUP, fw_reload, 0);
   }
 

-  /* --- Drop privileges --- */
-
-  if (drop != (uid_t)-1)
-    privconn_split(sel);
-#ifdef HAVE_SETGROUPS
-  if ((dropg != (gid_t)-1 && (setgid(dropg) || setgroups(1, &dropg))) ||
-      (drop != (uid_t)-1 && setuid(drop)))
-    die(1, "couldn't drop privileges: %s", strerror(errno));
-#else
-  if ((dropg != (gid_t)-1 && setgid(dropg)) ||
-      (drop != (uid_t)-1 && setuid(drop)))
-    die(1, "couldn't drop privileges: %s", strerror(errno));
-#endif
-

   /* --- Fork into the background --- */
 
   if (f & f_fork) {
   /* --- Fork into the background --- */
 
   if (f & f_fork) {


@@ -730,6 +716,20 @@ int main(int argc, char *argv[])
     openlog(QUIS, 0, LOG_DAEMON);
   }
 
     openlog(QUIS, 0, LOG_DAEMON);
   }
 

+  /* --- Drop privileges --- */
+
+  if (drop != (uid_t)-1)
+    privconn_split(sel);
+#ifdef HAVE_SETGROUPS
+  if ((dropg != (gid_t)-1 && (setgid(dropg) || setgroups(1, &dropg))) ||
+      (drop != (uid_t)-1 && setuid(drop)))
+    die(1, "couldn't drop privileges: %s", strerror(errno));
+#else
+  if ((dropg != (gid_t)-1 && setgid(dropg)) ||
+      (drop != (uid_t)-1 && setuid(drop)))
+    die(1, "couldn't drop privileges: %s", strerror(errno));
+#endif
+

   /* --- Let rip --- */
 
   if (!(flags & FW_SET))
   /* --- Let rip --- */
 
   if (!(flags & FW_SET))