问题
Is there a way for a UNIX domain socket listener to only accept connection from certain user (chmod/chown does not work for abstract socket afaik), or in another word, get the uid of the incoming connection (on Linux)?
Dbus, which uses abstract unix socket on Linux, has a function GetConnectionUnixUser which is used by polkit to determine the caller. So I suppose the dbus-daemon must have a way to do that. Does anyone know how that works?
回答1:
The easiest way to check peer credentials is with SO_PEERCRED.
To do this for socket sock:
int len;
struct ucred ucred;
len = sizeof(struct ucred);
if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &ucred, &len) == -1)
// check errno
printf("Credentials from SO_PEERCRED: pid=%ld, euid=%ld, egid=%ld\n",
(long) ucred.pid, (long) ucred.uid, (long) ucred.gid);
SO_PEERCRED Return the credentials of the foreign process connected to this socket. This is possible only for connected AF_UNIX stream sockets and AF_UNIX stream and datagram socket pairs created using socketpair(2); see unix(7). The returned credentials are those that were in effect at the time of the call to connect(2) or socketpair(2). The argument is a ucred structure; define the _GNU_SOURCE feature test macro to obtain the definition of that structure from <sys/socket.h>. This socket option is read-only.
From a tlpi example. PostgreSQL has a few variants for other unices.
回答2:
Yes -- this operation, along with FD passing, is supported via an ancilliary message with the SCM_CREDENTIALS type. The calls involved are documented in man 7 unix.
来源:https://stackoverflow.com/questions/9898961/is-there-a-way-to-get-the-uid-of-the-other-end-of-a-unix-socket-connection