Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

UNIX Socket permissions (Linux)

I am using UNIX sockets in C to develop a server. From the manual:

In the Linux implementation, sockets which are visible in the filesystem honor the per‐ missions of the directory they are in. Their owner, group and their permissions can be changed. Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in. Connecting to the socket object requires read/write permission. This behavior differs from many BSD- derived systems which ignore permissions for UNIX domain sockets. Portable programs should not rely on this feature for security.

I have a path that is world writeable.

    $ ls -ld api
    drwxrwxrwx 2 root www-data 4096 Feb 15 21:57 api

A process under root creates a socket in this path:

    $  ls -l api/socket
    srwxr-xr-x 1 root root 0 Feb 15 21:57 api/socket

Another process that is running as a user cannot connect to the socket due to permissions issues. If I manually change socket permissions to be writeable by everyone, then other processes can successfully connect.

  1. Why parent permissions are not enough to make the socket writeable as the doc says?
  2. What is the best practice in that case?
like image 556
Andrei Kouznetsov Avatar asked Feb 16 '16 06:02

Andrei Kouznetsov


2 Answers

1. Why parent permissions are not enough to make the socket writeable as the doc says?

The doc says

Connecting to the socket object requires read/write permission.

Parent permissions are only relevant for new socket creation, and that is all the doc says about it:

Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in.

You are free to make your socket writeable:

Their owner, group and their permissions can be changed.

2. What is the best practice in that case?

Create a socket, and make it user's (man 2 chown). Or create a socket, and make it writeable (man 2 chmod).

like image 197
Amadan Avatar answered Nov 12 '22 17:11

Amadan


Unix sockets are affected by the umask of your process which, by default, will likely be 0022 (its actually an inherited property from the parent process, by default). This seems to be reflected in your api/socket.

If you want your socket world-writeable, the easiest way would be for you app to call this before your socket is created and bound:

umask(0);
like image 44
RickTx9 Avatar answered Nov 12 '22 17:11

RickTx9