unix

UNIX(4)                     Kernel Interfaces Manual                   UNIX(4)

NAME
     unix — UNIX-domain protocol family

SYNOPSIS
     #include <sys/types.h>
     #include <sys/un.h>

DESCRIPTION
     The UNIX-domain protocol family is a collection of protocols that
     provides local (on-machine) interprocess communication through the normal
     socket(2) mechanisms.  The UNIX-domain family supports the SOCK_STREAM,
     SOCK_SEQPACKET, and SOCK_DGRAM socket types and uses file system
     pathnames for addressing.

ADDRESSING
     UNIX-domain addresses are variable-length file system pathnames of at
     most 104 characters.  The include file <sys/un.h> defines this address:

           struct sockaddr_un {
                   u_char  sun_len;
                   u_char  sun_family;
                   char    sun_path[104];
           };

     Binding a name to a UNIX-domain socket with bind(2) causes a socket file
     to be created in the file system.  This file is not removed when the
     socket is closed — unlink(2) must be used to remove the file.

     The length of UNIX-domain address, required by bind(2) and connect(2),
     can be calculated by the macro SUN_LEN() defined in <sys/un.h>.  The
     sun_path field must be terminated by a NUL character to be used with
     SUN_LEN(), but the terminating NUL is not part of the address.

     The UNIX-domain protocol family does not support broadcast addressing or
     any form of “wildcard” matching on incoming messages.  All addresses are
     absolute- or relative-pathnames of other UNIX-domain sockets.  Normal
     file system access-control mechanisms are also applied when referencing
     pathnames; e.g., the destination of a connect(2) or sendto(2) must be
     writable.

CONTROL MESSAGES
     The UNIX-domain sockets support the communication of UNIX file
     descriptors and process credentials through the use of the msg_control
     field in the msg argument to sendmsg(2) and recvmsg(2).  The items to be
     passed are described using a struct cmsghdr that is defined in the
     include file <sys/socket.h>.

     To send file descriptors, the type of the message is SCM_RIGHTS, and the
     data portion of the messages is an array of integers representing the
     file descriptors to be passed.  The number of descriptors being passed is
     defined by the length field of the message; the length field is the sum
     of the size of the header plus the size of the array of file descriptors.

     The received descriptor is a duplicate of the sender's descriptor, as if
     it were created via dup(fd) or fcntl(fd, F_DUPFD_CLOEXEC, 0) depending on
     whether MSG_CMSG_CLOEXEC is passed in the recvmsg(2) call.  Descriptors
     that are awaiting delivery, or that are purposely not received, are
     automatically closed by the system when the destination socket is closed.

     Credentials of the sending process can be transmitted explicitly using a
     control message of type SCM_CREDS with a data portion of type struct
     cmsgcred, defined in <sys/socket.h> as follows:

     struct cmsgcred {
       pid_t cmcred_pid;             /* PID of sending process */
       uid_t cmcred_uid;             /* real UID of sending process */
       uid_t cmcred_euid;            /* effective UID of sending process */
       gid_t cmcred_gid;             /* real GID of sending process */
       short cmcred_ngroups;         /* number of groups */
       gid_t cmcred_groups[CMGROUP_MAX];     /* groups */
     };

     The sender should pass a zeroed buffer which will be filled in by the
     system.

     The group list is truncated to at most CMGROUP_MAX GIDs.

     The process ID cmcred_pid should not be looked up (such as via the
     KERN_PROC_PID sysctl) for making security decisions.  The sending process
     could have exited and its process ID already been reused for a new
     process.

SOCKET OPTIONS
     UNIX domain sockets support a number of socket options which can be set
     with setsockopt(2) and tested with getsockopt(2):

     LOCAL_CREDS     This option may be enabled on SOCK_DGRAM, SOCK_SEQPACKET,
                     or a SOCK_STREAM socket.  This option provides a
                     mechanism for the receiver to receive the credentials of
                     the process calling write(2), send(2), sendto(2) or
                     sendmsg(2) as a recvmsg(2) control message.  The
                     msg_control field in the msghdr structure points to a
                     buffer that contains a cmsghdr structure followed by a
                     variable length sockcred structure, defined in
                     <sys/socket.h> as follows:

                     struct sockcred {
                       uid_t sc_uid;         /* real user id */
                       uid_t sc_euid;        /* effective user id */
                       gid_t sc_gid;         /* real group id */
                       gid_t sc_egid;        /* effective group id */
                       int   sc_ngroups;     /* number of supplemental groups */
                       gid_t sc_groups[1];   /* variable length */
                     };

                     The current implementation truncates the group list to at
                     most CMGROUP_MAX groups.

                     The SOCKCREDSIZE() macro computes the size of the
                     sockcred structure for a specified number of groups.  The
                     cmsghdr fields have the following values:

                     cmsg_len = CMSG_LEN(SOCKCREDSIZE(ngroups))
                     cmsg_level = SOL_SOCKET
                     cmsg_type = SCM_CREDS

                     On SOCK_STREAM and SOCK_SEQPACKET sockets credentials are
                     passed only on the first read from a socket, then the
                     system clears the option on the socket.

                     This option and the above explicit struct cmsgcred both
                     use the same value SCM_CREDS but incompatible control
                     messages.  If this option is enabled and the sender
                     attached a SCM_CREDS control message with a struct
                     cmsgcred, it will be discarded and a struct sockcred will
                     be included.

                     Many setuid programs will write(2) data at least
                     partially controlled by the invoker, such as error
                     messages.  Therefore, a message accompanied by a
                     particular sc_euid value should not be trusted as being
                     from that user.

     LOCAL_CONNWAIT  Used with SOCK_STREAM sockets, this option causes the
                     connect(2) function to block until accept(2) has been
                     called on the listening socket.

     LOCAL_PEERCRED  Requested via getsockopt(2) on a SOCK_STREAM socket
                     returns credentials of the remote side.  These will
                     arrive in the form of a filled in xucred structure,
                     defined in <sys/ucred.h> as follows:

                     struct xucred {
                       u_int cr_version;             /* structure layout version */
                       uid_t cr_uid;                 /* effective user id */
                       short cr_ngroups;             /* number of groups */
                       gid_t cr_groups[XU_NGROUPS];  /* groups */
                     };
                     The cr_version fields should be checked against
                     XUCRED_VERSION define.

                     The credentials presented to the server (the listen(2)
                     caller) are those of the client when it called
                     connect(2); the credentials presented to the client (the
                     connect(2) caller) are those of the server when it called
                     listen(2).  This mechanism is reliable; there is no way
                     for either party to influence the credentials presented
                     to its peer except by calling the appropriate system call
                     (e.g., connect(2) or listen(2)) under different effective
                     credentials.

                     To reliably obtain peer credentials on a SOCK_DGRAM
                     socket refer to the LOCAL_CREDS socket option.

SEE ALSO
     connect(2), dup(2), fcntl(2), getsockopt(2), listen(2), recvmsg(2),
     sendto(2), setsockopt(2), socket(2), CMSG_DATA(3), intro(4)

     "An Introductory 4.3 BSD Interprocess Communication Tutorial", PS1, 7.

     "An Advanced 4.3 BSD Interprocess Communication Tutorial", PS1, 8.

                                August 19, 2018