From 8938f77b2c12ccea6731a1eba7d788b2ba22348f Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 1 Apr 2008 13:47:40 +0100
Subject: [PATCH] Drop privileges after writing the pidfile.

Otherwise we may not be able to write it (e.g., to /var/run) because
of file access restrictions.
---
 fw.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/fw.c b/fw.c
index f626c6e..9c29808 100644
--- a/fw.c
+++ b/fw.c
@@ -679,20 +679,6 @@ int main(int argc, char *argv[])
     sig_add(&s_hup, SIGHUP, fw_reload, 0);
   }
 
-  /* --- Drop privileges --- */
-
-  if (drop != (uid_t)-1)
-    privconn_split(sel);
-#ifdef HAVE_SETGROUPS
-  if ((dropg != (gid_t)-1 && (setgid(dropg) || setgroups(1, &dropg))) ||
-      (drop != (uid_t)-1 && setuid(drop)))
-    die(1, "couldn't drop privileges: %s", strerror(errno));
-#else
-  if ((dropg != (gid_t)-1 && setgid(dropg)) ||
-      (drop != (uid_t)-1 && setuid(drop)))
-    die(1, "couldn't drop privileges: %s", strerror(errno));
-#endif
-
   /* --- Fork into the background --- */
 
   if (f & f_fork) {
@@ -730,6 +716,20 @@ int main(int argc, char *argv[])
     openlog(QUIS, 0, LOG_DAEMON);
   }
 
+  /* --- Drop privileges --- */
+
+  if (drop != (uid_t)-1)
+    privconn_split(sel);
+#ifdef HAVE_SETGROUPS
+  if ((dropg != (gid_t)-1 && (setgid(dropg) || setgroups(1, &dropg))) ||
+      (drop != (uid_t)-1 && setuid(drop)))
+    die(1, "couldn't drop privileges: %s", strerror(errno));
+#else
+  if ((dropg != (gid_t)-1 && setgid(dropg)) ||
+      (drop != (uid_t)-1 && setuid(drop)))
+    die(1, "couldn't drop privileges: %s", strerror(errno));
+#endif
+
   /* --- Let rip --- */
 
   if (!(flags & FW_SET))
-- 
2.11.0