Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

UNIX Socket permissions (Linux)

Tags:

c

linux

unix

sockets

I am using UNIX sockets in C to develop a server. From the manual:

In the Linux implementation, sockets which are visible in the filesystem honor the per‐ missions of the directory they are in. Their owner, group and their permissions can be changed. Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in. Connecting to the socket object requires read/write permission. This behavior differs from many BSD- derived systems which ignore permissions for UNIX domain sockets. Portable programs should not rely on this feature for security.

I have a path that is world writeable.

    $ ls -ld api
    drwxrwxrwx 2 root www-data 4096 Feb 15 21:57 api

A process under root creates a socket in this path:

    $  ls -l api/socket
    srwxr-xr-x 1 root root 0 Feb 15 21:57 api/socket

Another process that is running as a user cannot connect to the socket due to permissions issues. If I manually change socket permissions to be writeable by everyone, then other processes can successfully connect.

  1. Why parent permissions are not enough to make the socket writeable as the doc says?
  2. What is the best practice in that case?
like image 556
Andrei Kouznetsov Avatar asked Feb 16 '16 06:02

Andrei Kouznetsov

2 Answers

1. Why parent permissions are not enough to make the socket writeable as the doc says?

The doc says

Connecting to the socket object requires read/write permission.

Parent permissions are only relevant for new socket creation, and that is all the doc says about it:

Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in.

You are free to make your socket writeable:

Their owner, group and their permissions can be changed.

2. What is the best practice in that case?

Create a socket, and make it user's (man 2 chown). Or create a socket, and make it writeable (man 2 chmod).

like image 197
Amadan Avatar answered Nov 12 '22 17:11

Amadan

Unix sockets are affected by the umask of your process which, by default, will likely be 0022 (its actually an inherited property from the parent process, by default). This seems to be reflected in your api/socket.

If you want your socket world-writeable, the easiest way would be for you app to call this before your socket is created and bound:

umask(0);
like image 44
RickTx9 Avatar answered Nov 12 '22 17:11

RickTx9
Sign in to Comment

Related questions

is char signed or unsigned by default on iOS?
CreateProcess( ) doesn't create a new window with CREATE_NEW_CONSOLE flag - C/C++
Equivalent using for-loop instead do-while-loop
Quickly count number of zero-valued bytes in an array
Conversion warning when adding two uint8_t
Reverse bytes for 64-bit value
Why does the read end of a pipe read EOF only if the write end is closed?
Store latitude in 3.5 bytes
goto instruction to jump ahead of variable length array
Accesing a 2D array using a single pointer
Using SHA2-512 (CALG_SHA_512) on Windows 7 returns "Invalid Algorithm Specified"
Array of variable length in struct
Can fopen be used to open the URL
How do I use a Linux System call from a Linux Kernel Module
Where/how to get the "getline" function if it is missing from stdio.h?
How to properly compare command-line arguments?
warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘long int’ [-Wformat=]
Arbitrary size integers in C/C++
Dereferencing function pointers in C to access CODE memory
How to properly flush stdin in fgets loop

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!