daemon: better drop privileges earlier

Commit 06d83d0fb35c delayed privilege dropping because we delayed
daemonization. This may made sense to be able to display errors to user
when attached to the console, but this makes little sense from a
security perspective. So, put everything back to the earlier possible
location (just after setting up the socket).

diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
index b3a8ada5240261f7bb566c4a3e76c8c47b26f69f..4a04cc94ec16964c33bda3e3acea9a7ccd839c02 100644 (file)
--- a/src/daemon/lldpd.c
+++ b/src/daemon/lldpd.c
@@ -1694,6 +1694,44 @@ lldpd_main(int argc, char *argv[], char *envp[])
        /* Disable SIGHUP, until handlers are installed */
        signal(SIGHUP, SIG_IGN);
 
+       /* Daemonization, unless started by upstart, systemd or launchd or debug */
+#ifndef HOST_OS_OSX
+       if (daemonize &&
+           !lldpd_started_by_upstart() && !lldpd_started_by_systemd()) {
+               int pid;
+               char *spid;
+               log_debug("main", "daemonize");
+               if (daemon(0, 0) != 0)
+                       fatal("main", "failed to detach daemon");
+               if ((pid = open(pidfile,
+                           O_TRUNC | O_CREAT | O_WRONLY, 0666)) == -1)
+                       fatal("main", "unable to open pid file " LLDPD_PID_FILE
+                           " (or the specified one)");
+               if (asprintf(&spid, "%d\n", getpid()) == -1)
+                       fatal("main", "unable to create pid file " LLDPD_PID_FILE
+                           " (or the specified one)");
+               if (write(pid, spid, strlen(spid)) == -1)
+                       fatal("main", "unable to write pid file " LLDPD_PID_FILE
+                           " (or the specified one)");
+               free(spid);
+               close(pid);
+       }
+#endif
+
+       log_debug("main", "initialize privilege separation");
+#ifdef ENABLE_PRIVSEP
+       priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
+#else
+       priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
+#endif
+
+       /* Configuration with lldpcli */
+       if (lldpcli) {
+               log_debug("main", "invoking lldpcli for configuration");
+               if (lldpd_configure(use_syslog, debug, lldpcli, ctlname) == -1)
+                       fatal("main", "unable to spawn lldpcli");
+       }
+
        /* Try to read system information from /etc/os-release if possible.
           Fall back to lsb_release for compatibility. */
        log_debug("main", "get OS/LSB release information");
@@ -1813,44 +1851,6 @@ lldpd_main(int argc, char *argv[], char *envp[])
        TAILQ_INSERT_TAIL(&cfg->g_chassis, lchassis, c_entries);
        lchassis->c_refcount++; /* We should always keep a reference to local chassis */
 
-       /* Daemonization, unless started by upstart, systemd or launchd or debug */
-#ifndef HOST_OS_OSX
-       if (daemonize &&
-           !lldpd_started_by_upstart() && !lldpd_started_by_systemd()) {
-               int pid;
-               char *spid;
-               log_debug("main", "daemonize");
-               if (daemon(0, 0) != 0)
-                       fatal("main", "failed to detach daemon");
-               if ((pid = open(pidfile,
-                           O_TRUNC | O_CREAT | O_WRONLY, 0666)) == -1)
-                       fatal("main", "unable to open pid file " LLDPD_PID_FILE
-                           " (or the specified one)");
-               if (asprintf(&spid, "%d\n", getpid()) == -1)
-                       fatal("main", "unable to create pid file " LLDPD_PID_FILE
-                           " (or the specified one)");
-               if (write(pid, spid, strlen(spid)) == -1)
-                       fatal("main", "unable to write pid file " LLDPD_PID_FILE
-                           " (or the specified one)");
-               free(spid);
-               close(pid);
-       }
-#endif
-
-       log_debug("main", "initialize privilege separation");
-#ifdef ENABLE_PRIVSEP
-       priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
-#else
-       priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
-#endif
-
-       /* Configuration with lldpcli */
-       if (lldpcli) {
-               log_debug("main", "invoking lldpcli for configuration");
-               if (lldpd_configure(use_syslog, debug, lldpcli, ctlname) == -1)
-                       fatal("main", "unable to spawn lldpcli");
-       }
-
        /* Main loop */
        log_debug("main", "start main loop");
        levent_loop(cfg);