Changing real/effective uid/gid on Knot startup.

TODO: May be a problem with newly created journals under privileged user.

refs #1464, fixes #1352

src/knot/conf/cf-parse.y

@@ -297,9 +297,6 @@ system:
      struct passwd* pwd = getpwnam($3.t);
      if (pwd != NULL) {
        new_config->uid = pwd->pw_uid;
-       if (new_config->gid < 0) { // Fill default gid if not already set
-         new_config->gid = pwd->pw_gid;
-       }
      } else {
        snprintf(buf, sizeof(buf), "invalid user name '%s'", $3.t);
        cf_error(scanner, buf);

src/knot/main.c

@@ -196,6 +196,30 @@ int main(int argc, char **argv)
 				conf()->ifaces_count, conf()->zones_count);
 	}
 	log_server_info("\n");
+	
+	// Drop privileges
+	int priv_failed = 0;
+	if (conf()->uid >= 0) {
+		uid_t id = conf()->uid;
+		log_server_info("Changing user id to %d.\n", id);
+		if (setreuid(id, id) < 0) {
+			log_server_error("Failed to change uid to %d.\n", id);
+			priv_failed = 1;
+		}
+	}
+	if (conf()->gid >= 0 && !priv_failed) {
+		gid_t id = conf()->gid;
+		log_server_info("Changing group id to %d.\n", id);
+		if (setregid(id, id) < 0) {
+			log_server_error("Failed to change gid to %d.\n", id);
+			priv_failed = 1;
+		}
+	}
+	if (priv_failed) {
+		server_destroy(&server);
+		free(config_fn);
+		return 1;
+	}
 
 	// Create server instance
 	char* pidfile = pid_filename();