Drop privileges after writing the pidfile.

[fwd] / fw.c

diff --git a/fw.c b/fw.c
index f626c6e..9c29808 100644 (file)
--- a/fw.c
+++ b/fw.c
@@ -679,20 +679,6 @@ int main(int argc, char *argv[])
     sig_add(&s_hup, SIGHUP, fw_reload, 0);
   }
 
-  /* --- Drop privileges --- */
-
-  if (drop != (uid_t)-1)
-    privconn_split(sel);
-#ifdef HAVE_SETGROUPS
-  if ((dropg != (gid_t)-1 && (setgid(dropg) || setgroups(1, &dropg))) ||
-      (drop != (uid_t)-1 && setuid(drop)))
-    die(1, "couldn't drop privileges: %s", strerror(errno));
-#else
-  if ((dropg != (gid_t)-1 && setgid(dropg)) ||
-      (drop != (uid_t)-1 && setuid(drop)))
-    die(1, "couldn't drop privileges: %s", strerror(errno));
-#endif
-
   /* --- Fork into the background --- */
 
   if (f & f_fork) {
@@ -730,6 +716,20 @@ int main(int argc, char *argv[])
     openlog(QUIS, 0, LOG_DAEMON);
   }
 
+  /* --- Drop privileges --- */
+
+  if (drop != (uid_t)-1)
+    privconn_split(sel);
+#ifdef HAVE_SETGROUPS
+  if ((dropg != (gid_t)-1 && (setgid(dropg) || setgroups(1, &dropg))) ||
+      (drop != (uid_t)-1 && setuid(drop)))
+    die(1, "couldn't drop privileges: %s", strerror(errno));
+#else
+  if ((dropg != (gid_t)-1 && setgid(dropg)) ||
+      (drop != (uid_t)-1 && setuid(drop)))
+    die(1, "couldn't drop privileges: %s", strerror(errno));
+#endif
+
   /* --- Let rip --- */
 
   if (!(flags & FW_SET))