I am using UNIX sockets in C to develop a server. From the manual:
In the Linux implementation, sockets which are visible in the filesystem honor the per‐ missions of the directory they are in. Their owner, group and their permissions can be changed. Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in. Connecting to the socket object requires read/write permission. This behavior differs from many BSD- derived systems which ignore permissions for UNIX domain sockets. Portable programs should not rely on this feature for security.
I have a path that is world writeable.
$ ls -ld api
drwxrwxrwx 2 root www-data 4096 Feb 15 21:57 api
A process under root creates a socket in this path:
$ ls -l api/socket
srwxr-xr-x 1 root root 0 Feb 15 21:57 api/socket
Another process that is running as a user cannot connect to the socket due to permissions issues. If I manually change socket permissions to be writeable by everyone, then other processes can successfully connect.
1. Why parent permissions are not enough to make the socket writeable as the doc says?
The doc says
Connecting to the socket object requires read/write permission.
Parent permissions are only relevant for new socket creation, and that is all the doc says about it:
Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in.
You are free to make your socket writeable:
Their owner, group and their permissions can be changed.
2. What is the best practice in that case?
Create a socket, and make it user's (man 2 chown
). Or create a socket, and make it writeable (man 2 chmod
).
Unix sockets are affected by the umask of your process which, by default, will likely be 0022 (its actually an inherited property from the parent process, by default). This seems to be reflected in your api/socket.
If you want your socket world-writeable, the easiest way would be for you app to call this before your socket is created and bound:
umask(0);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With