Bind to local socket before dropping privileges

Bind the local TCP/UDP socket before UID/GID downgrade,
otherwise we cannot bind to ports < 1024.

Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1456993146-63968-10-git-send-email-james@openvpn.net
URL: http://www.mail-archive.com/search?l=mid&q=1456993146-63968-10-git-send-email-james@openvpn.net
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 87a0e32b21d3c23d62cfbce9823a2682efe25921..ad4ebc33d6de6c3d6ae546b4bfe0fa2bcc476a0c 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3696,6 +3696,10 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
     open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
 #endif
 
+  /* finalize the TCP/UDP socket */
+  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
+    do_init_socket_2 (c);
+
   /*
    * Actually do UID/GID downgrade, and chroot, if requested.
    * May be delayed by --client, --pull, or --up-delay.
@@ -3705,10 +3709,6 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
   /* initialise connect timeout timer */
   do_init_server_poll_timeout(c);
 
-  /* finalize the TCP/UDP socket */
-  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
-    do_init_socket_2 (c);
-
   /* initialize timers */
   if (c->mode == CM_P2P || child)
     do_init_timers (c, false);