有没有办法让UNIX域套接字侦听器只接受来自某个用户的连接(chmod / chown不适用于抽象套接字afaik),或者换句话说,获取uid传入连接(在Linux上)?
在Linux上使用抽象unix套接字的Dbus有一个函数GetConnectionUnixUser,polkit用它来确定调用者。所以我认为dbus-daemon必须有办法做到这一点。有谁知道它是如何工作的?
答案 0 :(得分:7)
检查对等凭据的最简单方法是使用SO_PEERCRED。
为套接字sock执行此操作:
int len;
struct ucred ucred;
len = sizeof(struct ucred);
if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &ucred, &len) == -1)
// check errno
printf("Credentials from SO_PEERCRED: pid=%ld, euid=%ld, egid=%ld\n",
(long) ucred.pid, (long) ucred.uid, (long) ucred.gid);
SO_PEERCRED Return the credentials of the foreign process connected to this socket. This is possible only for connected AF_UNIX stream sockets and AF_UNIX stream and datagram socket pairs created using socketpair(2); see unix(7). The returned credentials are those that were in effect at the time of the call to connect(2) or socketpair(2). The argument is a ucred structure; define the _GNU_SOURCE feature test macro to obtain the definition of that structure from <sys/socket.h>. This socket option is read-only.
来自tlpi example。 PostgreSQL为其他unices提供了一些变体。
答案 1 :(得分:4)
是 - 通过带有SCM_CREDENTIALS类型的辅助消息支持此操作以及FD传递。所涉及的电话都记录在man 7 unix。