UID/GID changes on config reload (if current euid privileges allow it).

Also, it takes place after binding to sockets and before zonedb loading.
Journals are created under the specified user.

refs #1464

src/knot/main.c

@@ -149,8 +149,8 @@ int main(int argc, char **argv)
 	// Initialize configuration
 	conf_read_lock();
 	conf_add_hook(conf(), CONF_LOG, log_conf_hook, 0);
-	conf_add_hook(conf(), CONF_LOG, zones_ns_conf_hook, server->nameserver);
-	conf_add_hook(conf(), CONF_LOG, server_conf_hook, server);
+	conf_add_hook(conf(), CONF_ALL, server_conf_hook, server);
+	conf_add_hook(conf(), CONF_ALL, zones_ns_conf_hook, server->nameserver);
 	conf_read_unlock();
 
 	// Find implicit configuration file
@@ -196,30 +196,6 @@ int main(int argc, char **argv)
 				conf()->ifaces_count, conf()->zones_count);
 	}
 	log_server_info("\n");
-	
-	// Drop privileges
-	int priv_failed = 0;
-	if (conf()->uid >= 0) {
-		uid_t id = conf()->uid;
-		log_server_info("Changing user id to %d.\n", id);
-		if (setreuid(id, id) < 0) {
-			log_server_error("Failed to change uid to %d.\n", id);
-			priv_failed = 1;
-		}
-	}
-	if (conf()->gid >= 0 && !priv_failed) {
-		gid_t id = conf()->gid;
-		log_server_info("Changing group id to %d.\n", id);
-		if (setregid(id, id) < 0) {
-			log_server_error("Failed to change gid to %d.\n", id);
-			priv_failed = 1;
-		}
-	}
-	if (priv_failed) {
-		server_destroy(&server);
-		free(config_fn);
-		return 1;
-	}
 
 	// Create server instance
 	char* pidfile = pid_filename();

src/knot/server/server.c

@@ -687,24 +687,45 @@ int server_conf_hook(const struct conf_t *conf, void *data)
 	if ((ret = server_bind_sockets(server)) < 0) {
 		log_server_error("Failed to bind configured "
 		                 "interfaces.\n");
-		return KNOTD_ERROR;
+	} else {
+		/* Update handlers. */
+		if ((ret = server_bind_handlers(server)) < 0) {
+			log_server_error("Failed to create handlers for "
+			                 "configured interfaces.\n");
+		}
 	}
-
-	/* Update handlers. */
-	if ((ret = server_bind_handlers(server)) < 0) {
-		log_server_error("Failed to create handlers for "
-		                 "configured interfaces.\n");
-		return ret;
+	
+	/* Lock configuration. */
+	conf_read_lock();
+	
+	/* Watch uid/gid. */
+	int priv_failed = 0;
+	if (conf->uid > -1 && conf->uid != getuid()) {
+		log_server_info("Changing user id to %d.\n", conf->uid);
+		if (setreuid(conf->uid, conf->uid) < 0) {
+			log_server_error("Failed to change uid to %d.\n",
+			                 conf->uid);
+			priv_failed = 1;
+		}
+	}
+	if (conf->gid > -1 && conf->gid != getgid() && !priv_failed) {
+		log_server_info("Changing group id to %d.\n", conf->gid);
+		if (setregid(conf->gid, conf->gid) < 0) {
+			log_server_error("Failed to change gid to %d.\n",
+			                 conf->gid);
+			priv_failed = 1;
+		}
+	}
+	if (priv_failed) {
+		ret = KNOTD_EACCES;
 	}
 
 	/* Exit if the server is not running. */
-	if (!(server->state & ServerRunning)) {
+	if (ret != KNOTD_EOK || !(server->state & ServerRunning)) {
+		conf_read_unlock();
 		return KNOTD_ENOTRUNNING;
 	}
 
-	/* Lock configuration. */
-	conf_read_lock();
-
 	/* Start new handlers. */
 	iohandler_t *h = 0;
 	WALK_LIST(h, server->handlers) {