From: James Yonan <james@openvpn.net>
Date: Thu, 3 Mar 2016 08:19:06 +0000 (-0700)
Subject: Bind to local socket before dropping privileges
X-Git-Tag: v2.4_alpha1~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3e975824ea9ebae8dbea5b451c8d02525c83ffe;p=thirdparty%2Fopenvpn.git

Bind to local socket before dropping privileges

Bind the local TCP/UDP socket before UID/GID downgrade,
otherwise we cannot bind to ports < 1024.

Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1456993146-63968-10-git-send-email-james@openvpn.net
URL: http://www.mail-archive.com/search?l=mid&q=1456993146-63968-10-git-send-email-james@openvpn.net
Signed-off-by: David Sommerseth <davids@openvpn.net>
---

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 87a0e32b2..ad4ebc33d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3696,6 +3696,10 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
     open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
 #endif
 
+  /* finalize the TCP/UDP socket */
+  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
+    do_init_socket_2 (c);
+
   /*
    * Actually do UID/GID downgrade, and chroot, if requested.
    * May be delayed by --client, --pull, or --up-delay.
@@ -3705,10 +3709,6 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
   /* initialise connect timeout timer */
   do_init_server_poll_timeout(c);
 
-  /* finalize the TCP/UDP socket */
-  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
-    do_init_socket_2 (c);
-
   /* initialize timers */
   if (c->mode == CM_P2P || child)
     do_init_timers (c, false);