From bc043d5793e8c196a0a1baf299eaf17ec736beae Mon Sep 17 00:00:00 2001
From: Robert DeRose <RobertDeRose@gmail.com>
Date: Tue, 2 May 2017 15:47:50 -0400
Subject: [PATCH] Fix drop-after options so they work

Moved all calls to `uwsgi_as_root` into `uwsgi.c` so that all handling
of privilege dropping is in the same file. Added extra checks to ensure
that privileges are properly dropped when the user requests them to be
dropped.

This closes #1519
---
 core/socket.c |  7 -------
 core/uwsgi.c  | 13 +++++++++++--
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/core/socket.c b/core/socket.c
index 824019c59c..5bf8adb7fd 100644
--- a/core/socket.c
+++ b/core/socket.c
@@ -1846,13 +1846,6 @@ void uwsgi_bind_sockets() {
 
 stdin_done:
 
-	if (uwsgi.chown_socket) {
-		if (!uwsgi.master_as_root) {
-			uwsgi_as_root();
-		}
-	}
-
-
 	// check for auto_port socket
 	uwsgi_sock = uwsgi.sockets;
 	while (uwsgi_sock) {
diff --git a/core/uwsgi.c b/core/uwsgi.c
index 8ca09edc56..c247f019b7 100755
--- a/core/uwsgi.c
+++ b/core/uwsgi.c
@@ -2695,6 +2695,7 @@ int uwsgi_start(void *v_argv) {
 	uwsgi_file_write_do(uwsgi.file_write_list);
 
 	if (!uwsgi.master_as_root && !uwsgi.chown_socket && !uwsgi.drop_after_init && !uwsgi.drop_after_apps) {
+		uwsgi_log("dropping root privileges as early as possible\n");
 		uwsgi_as_root();
 	}
 
@@ -2937,6 +2938,11 @@ int uwsgi_start(void *v_argv) {
 		//now bind all the unbound sockets
 		uwsgi_bind_sockets();
 
+		if (!uwsgi.master_as_root && !uwsgi.drop_after_init && !uwsgi.drop_after_apps) {
+			uwsgi_log("dropping root privileges after socket binding\n");
+			uwsgi_as_root();
+		}
+
 		// put listening socket in non-blocking state and set the protocol
 		uwsgi_set_sockets_protocols();
 
@@ -2952,7 +2958,8 @@ int uwsgi_start(void *v_argv) {
 		}
 	}
 
-	if (uwsgi.drop_after_init) {
+	if (!uwsgi.master_as_root && !uwsgi.drop_after_apps) {
+		uwsgi_log("dropping root privileges after plugin initialization\n");
 		uwsgi_as_root();
 	}
 
@@ -3220,7 +3227,8 @@ int uwsgi_start(void *v_argv) {
 		uwsgi_init_all_apps();
 	}
 
-	if (uwsgi.drop_after_apps) {
+	if (!uwsgi.master_as_root) {
+		uwsgi_log("dropping root privileges after application loading\n");
 		uwsgi_as_root();
 	}
 
@@ -3475,6 +3483,7 @@ int uwsgi_run() {
 	}
 
 	if (uwsgi.master_as_root) {
+		uwsgi_log("dropping root privileges after master thread creation\n");
 		uwsgi_as_root();
 	}