proxy: move permissions drop outside tokio rt

src/proxy/mod.rs

@@ -13,6 +13,7 @@ use std::net::SocketAddr;
 use std::path::{Path, PathBuf};
 use std::process::{Child, Command};
 use std::thread::spawn;
+use nix::errno::Errno;
 use thiserror::Error;
 use tokio::runtime::Builder;
 use tokio::signal::ctrl_c;
@@ -135,17 +136,6 @@ pub fn proxy(
         ))?)
     };
 
-    let nobody_uid = Uid::from(
-        get_user_by_name("nobody")
-            .map(|user| user.uid())
-            .unwrap_or(65534),
-    );
-    let nobody_gid = Gid::from(
-        get_group_by_name("nobody")
-            .map(|group| group.gid())
-            .unwrap_or(65534),
-    );
-
     let rt = match Builder::new_current_thread().enable_io().build() {
         Ok(rt) => rt,
         Err(error) => {
@@ -154,7 +144,6 @@ pub fn proxy(
         }
     };
 
-    rt.block_on(async {
     if let Some(listen_namespace) = listen_namespace
         && let Err(error) = setns(listen_namespace, CloneFlags::CLONE_NEWNET)
     {
@@ -175,10 +164,11 @@ pub fn proxy(
         return Err(error.into());
     }
 
-        if let Err(error) = setgid(nobody_gid).and_then(|_| setuid(nobody_uid)) {
+    if let Err(error) = drop_to_nobody() {
         error!(%error, "Failed to drop privileges");
     }
 
+    rt.block_on(async {
         tokio::spawn(async move {
             let _ = ctrl_c().await;
             abort.abort();
@@ -189,3 +179,18 @@ pub fn proxy(
         Ok(())
     })
 }
+
+fn drop_to_nobody() -> Result<(), Errno> {
+    let nobody_uid = Uid::from(
+        get_user_by_name("nobody")
+            .map(|user| user.uid())
+            .unwrap_or(65534),
+    );
+    let nobody_gid = Gid::from(
+        get_group_by_name("nobody")
+            .map(|group| group.gid())
+            .unwrap_or(65534),
+    );
+
+    setgid(nobody_gid).and_then(|_| setuid(nobody_uid))
+}