diff --git a/cmdmon.c b/cmdmon.c
index 6581e05..8eaa0a2 100644
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -267,10 +267,7 @@ CAM_Initialise(int family)
     assert(command_length == 0 || command_length >= offsetof(CMD_Reply, data));
   }
 
-  if (CNF_GetBindCommandPath()[0])
-    sock_fdu = prepare_socket(AF_UNIX, 0);
-  else
-    sock_fdu = -1;
+  sock_fdu = -1;
 
   port_number = CNF_GetCommandPort();
 
@@ -328,6 +325,17 @@ CAM_Finalise(void)
 
 /* ================================================== */
 
+void
+CAM_OpenUnixSocket(void)
+{
+  /* This is separated from CAM_Initialise() as it needs to be called when
+     the process has already dropped the root privileges */
+  if (CNF_GetBindCommandPath()[0])
+    sock_fdu = prepare_socket(AF_UNIX, 0);
+}
+
+/* ================================================== */
+
 static void
 transmit_reply(CMD_Reply *msg, union sockaddr_all *where_to)
 {
diff --git a/cmdmon.h b/cmdmon.h
index ac337e7..5b717d2 100644
--- a/cmdmon.h
+++ b/cmdmon.h
@@ -33,6 +33,7 @@ extern void CAM_Initialise(int family);
 
 extern void CAM_Finalise(void);
 
+extern void CAM_OpenUnixSocket(void);
 extern int CAM_AddAccessRestriction(IPAddr *ip_addr, int subnet_bits, int allow, int all);
 extern int CAM_CheckAccessRestriction(IPAddr *ip_addr);
 
diff --git a/main.c b/main.c
index 95e99d2..e9b729f 100644
--- a/main.c
+++ b/main.c
@@ -95,10 +95,10 @@ MAI_CleanupAndExit(void)
   MNL_Finalise();
   CLG_Finalise();
   NSR_Finalise();
-  NCR_Finalise();
-  CAM_Finalise();
-  NIO_Finalise();
   SST_Finalise();
+  NCR_Finalise();
+  NIO_Finalise();
+  CAM_Finalise();
   KEY_Finalise();
   RCL_Finalise();
   SRC_Finalise();
@@ -474,6 +474,12 @@ int main
   RCL_Initialise();
   KEY_Initialise();
 
+  /* Open privileged ports before dropping root */
+  CAM_Initialise(address_family);
+  NIO_Initialise(address_family);
+  NCR_Initialise();
+  CNF_SetupAccessRestrictions();
+
   /* Command-line switch must have priority */
   if (!sched_priority) {
     sched_priority = CNF_GetSchedPriority();
@@ -502,9 +508,6 @@ int main
 
   REF_Initialise();
   SST_Initialise();
-  NIO_Initialise(address_family);
-  CAM_Initialise(address_family);
-  NCR_Initialise();
   NSR_Initialise();
   CLG_Initialise();
   MNL_Initialise();
@@ -514,7 +517,7 @@ int main
   /* From now on, it is safe to do finalisation on exit */
   initialised = 1;
 
-  CNF_SetupAccessRestrictions();
+  CAM_OpenUnixSocket();
 
   if (ref_mode == REF_ModeNormal && CNF_GetInitSources() > 0) {
     ref_mode = REF_ModeInitStepSlew;