Observed behavior

When the nats-server's config file uses JWT preload, and nats-server is invoked with -t, those preload JWTs can get written to the resolver store if not already present.

Configuration management system invokes nats-server -c /path/to/nats.conf -t to validate configuration. It did so as root because it was excessively complex to do as non-root.

Thus with a disk resolver, and validating the configuration, the resolver/jwt directory was created as root, thus when the nats-server started, it couldn't write to the resolver area and accounts could not be pushed.

Expected behavior

A -t test mode should present as a simple "config validation" and should not try to write/store anything.

Server and client version

nats-server 2.10.18.

Host environment

Linux, under configuration management.

Steps to reproduce

nats.conf:

resolver: {
  type: "full"
  dir: "/srv/nats/resolver/jwt"
}

resolver_preload: {
  Asomeacctid: some.jwt.here
}

Run nats-server -c nats.conf as root while the store does not exist.
Witness the store come into existence as root.

And yes, should not have let the config test run as root, but it seemed harmless and was a lot of hassle to work around the config management system. Fixed our test invocations locally, but this should be fixed for everyone by making sure that when CheckConfig, the func (s *Server) configureResolver() error function skips the ar.Store(k, v).