UNIX domain sockets [was Re: dce/rpc services]

Sander Striker s.striker at striker.nl
Wed Aug 23 11:48:26 GMT 2000

>Gerald Carter wrote:
>> My understanding of Luke's implementation and how
>> it could (should) work is this...
>>   * The UNIX domain socket is only available to
>>     root processes.
>No, this is wrong.  Them are just like other regular files
>(but not like devices -- you should be root to do mknod),
>and have usual file permissions (but broken (not honored)
>on some systems).  Any process can create socket where it
>can create regular file, and any process can use that socket
>the same like for regular file.  The most good comparision
>here is FIFO.

Err, what Gerald means I think is that Luke is opening
the domain socket as root and setting all permissions to
root only. This way the domain socket is only available
between become_root()/unbecome_root() pairs, or something
like that.
So it's not a restriction the OS introduces, it is an
implementation choice, to prevent non-root exploits.



More information about the samba-technical mailing list