Geek Answers Handbook

UNIX domain sockets inaccessible to users?

I am running a client / server application on Red Hat Enterprise using ZMQ for messaging. The IPC socket used to bind a client to a server is implemented using a Unix domain socket.

If user A starts the server process, it seems that only clients launched by user A can connect to and communicate with this socket. Our project requires that customers can work with different users, so this is an important point.

The socket is located in / tmp / ipc _assoc with default permissions of 755. chmod 777 does not fix the problem. chown userB allows user B to access the socket, but user A then loses access. Even root cannot access the socket. There is no ACL or SeLinux on the machine.

Is this typical behavior for Unix domain sockets? Has anyone figured out how to get around this?

+6
linux sockets
source share
4 answers

With some help from the ZMQ mailing list, I did the job. This is ugly, but seems to work sequentially.

I needed to create a subdirectory under / tmp and chmod 777 . Now the server creates a socket in this new folder. It also programmatically chmod 777 socket. Now, while the server is running as administrator, any user can start the client and talk to the server.

I don't know why a UNIX domain socket behaves this way, but it is definitely annoying.

+1
source share

chmod (s.sun_path, 0777); after listening to the socket.

 domain = AF_UNIX; name = servname; port = -1; n = MakeLocalSocket(s); if (n == 0) { fatal("can't create socket"); } unlink(s.sun_path); if (bind(fd, & s, n) < 0) { fatal("can't bind socket"); } if (listen(fd, 5) != 0) { fatal("can't listen to socket"); } /* UNIX domain sockets need to be mode 777 on 4.3 */ chmod(s.sun_path, 0777);
+4
source share

Change umask temporarily:

 mode_t umask_ = umask(0000); /* let the socket be mode 0777 so that other users can connect */ int err = bind(fd, (struct sockaddr *)&unix_bind_addr, sizeof(unix_bind_addr)); umask(umask_); /* restore old umask (0777 is a pretty bad choice for normal stuff) */ if (err) { /* handle bind error here */ }

Of course, this is a bad idea if you use streams.

+2
source share

Have you tried adding UserA and UserB to a common user group?

0
source share

More articles:


All Articles