1.\" Copyright (c) 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)unix.4 8.1 (Berkeley) 6/9/93 29.\" $FreeBSD$ 30.\" 31.Dd August 19, 2018 32.Dt UNIX 4 33.Os 34.Sh NAME 35.Nm unix 36.Nd UNIX-domain protocol family 37.Sh SYNOPSIS 38.In sys/types.h 39.In sys/un.h 40.Sh DESCRIPTION 41The 42.Ux Ns -domain 43protocol family is a collection of protocols 44that provides local (on-machine) interprocess 45communication through the normal 46.Xr socket 2 47mechanisms. 48The 49.Ux Ns -domain 50family supports the 51.Dv SOCK_STREAM , 52.Dv SOCK_SEQPACKET , 53and 54.Dv SOCK_DGRAM 55socket types and uses 56file system pathnames for addressing. 57.Sh ADDRESSING 58.Ux Ns -domain 59addresses are variable-length file system pathnames of 60at most 104 characters. 61The include file 62.In sys/un.h 63defines this address: 64.Bd -literal -offset indent 65struct sockaddr_un { 66 u_char sun_len; 67 u_char sun_family; 68 char sun_path[104]; 69}; 70.Ed 71.Pp 72Binding a name to a 73.Ux Ns -domain 74socket with 75.Xr bind 2 76causes a socket file to be created in the file system. 77This file is 78.Em not 79removed when the socket is closed \(em 80.Xr unlink 2 81must be used to remove the file. 82.Pp 83The length of 84.Ux Ns -domain 85address, required by 86.Xr bind 2 87and 88.Xr connect 2 , 89can be calculated by the macro 90.Fn SUN_LEN 91defined in 92.In sys/un.h . 93The 94.Va sun_path 95field must be terminated by a 96.Dv NUL 97character to be used with 98.Fn SUN_LEN , 99but the terminating 100.Dv NUL 101is 102.Em not 103part of the address. 104.Pp 105The 106.Ux Ns -domain 107protocol family does not support broadcast addressing or any form 108of 109.Dq wildcard 110matching on incoming messages. 111All addresses are absolute- or relative-pathnames 112of other 113.Ux Ns -domain 114sockets. 115Normal file system access-control mechanisms are also 116applied when referencing pathnames; e.g., the destination 117of a 118.Xr connect 2 119or 120.Xr sendto 2 121must be writable. 122.Sh CONTROL MESSAGES 123The 124.Ux Ns -domain 125sockets support the communication of 126.Ux 127file descriptors and process credentials through the use of the 128.Va msg_control 129field in the 130.Fa msg 131argument to 132.Xr sendmsg 2 133and 134.Xr recvmsg 2 . 135The items to be passed are described using a 136.Vt "struct cmsghdr" 137that is defined in the include file 138.In sys/socket.h . 139.Pp 140To send file descriptors, the type of the message is 141.Dv SCM_RIGHTS , 142and the data portion of the messages is an array of integers 143representing the file descriptors to be passed. 144The number of descriptors being passed is defined 145by the length field of the message; 146the length field is the sum of the size of the header 147plus the size of the array of file descriptors. 148.Pp 149The received descriptor is a 150.Em duplicate 151of the sender's descriptor, as if it were created via 152.Li dup(fd) 153or 154.Li fcntl(fd, F_DUPFD_CLOEXEC, 0) 155depending on whether 156.Dv MSG_CMSG_CLOEXEC 157is passed in the 158.Xr recvmsg 2 159call. 160Descriptors that are awaiting delivery, or that are 161purposely not received, are automatically closed by the system 162when the destination socket is closed. 163.Pp 164Credentials of the sending process can be transmitted explicitly using a 165control message of type 166.Dv SCM_CREDS 167with a data portion of type 168.Vt "struct cmsgcred" , 169defined in 170.In sys/socket.h 171as follows: 172.Bd -literal 173struct cmsgcred { 174 pid_t cmcred_pid; /* PID of sending process */ 175 uid_t cmcred_uid; /* real UID of sending process */ 176 uid_t cmcred_euid; /* effective UID of sending process */ 177 gid_t cmcred_gid; /* real GID of sending process */ 178 short cmcred_ngroups; /* number of groups */ 179 gid_t cmcred_groups[CMGROUP_MAX]; /* groups */ 180}; 181.Ed 182.Pp 183The sender should pass a zeroed buffer which will be filled in by the system. 184.Pp 185The group list is truncated to at most 186.Dv CMGROUP_MAX 187GIDs. 188.Pp 189The process ID 190.Fa cmcred_pid 191should not be looked up (such as via the 192.Dv KERN_PROC_PID 193sysctl) for making security decisions. 194The sending process could have exited and its process ID already been 195reused for a new process. 196.Sh SOCKET OPTIONS 197.Tn UNIX 198domain sockets support a number of socket options which can be set with 199.Xr setsockopt 2 200and tested with 201.Xr getsockopt 2 : 202.Bl -tag -width ".Dv LOCAL_CONNWAIT" 203.It Dv LOCAL_CREDS 204This option may be enabled on 205.Dv SOCK_DGRAM , 206.Dv SOCK_SEQPACKET , 207or a 208.Dv SOCK_STREAM 209socket. 210This option provides a mechanism for the receiver to 211receive the credentials of the process calling 212.Xr write 2 , 213.Xr send 2 , 214.Xr sendto 2 215or 216.Xr sendmsg 2 217as a 218.Xr recvmsg 2 219control message. 220The 221.Va msg_control 222field in the 223.Vt msghdr 224structure points to a buffer that contains a 225.Vt cmsghdr 226structure followed by a variable length 227.Vt sockcred 228structure, defined in 229.In sys/socket.h 230as follows: 231.Bd -literal 232struct sockcred { 233 uid_t sc_uid; /* real user id */ 234 uid_t sc_euid; /* effective user id */ 235 gid_t sc_gid; /* real group id */ 236 gid_t sc_egid; /* effective group id */ 237 int sc_ngroups; /* number of supplemental groups */ 238 gid_t sc_groups[1]; /* variable length */ 239}; 240.Ed 241.Pp 242The current implementation truncates the group list to at most 243.Dv CMGROUP_MAX 244groups. 245.Pp 246The 247.Fn SOCKCREDSIZE 248macro computes the size of the 249.Vt sockcred 250structure for a specified number 251of groups. 252The 253.Vt cmsghdr 254fields have the following values: 255.Bd -literal 256cmsg_len = CMSG_LEN(SOCKCREDSIZE(ngroups)) 257cmsg_level = SOL_SOCKET 258cmsg_type = SCM_CREDS 259.Ed 260.Pp 261On 262.Dv SOCK_STREAM 263and 264.Dv SOCK_SEQPACKET 265sockets credentials are passed only on the first read from a socket, 266then the system clears the option on the socket. 267.Pp 268This option and the above explicit 269.Vt "struct cmsgcred" 270both use the same value 271.Dv SCM_CREDS 272but incompatible control messages. 273If this option is enabled and the sender attached a 274.Dv SCM_CREDS 275control message with a 276.Vt "struct cmsgcred" , 277it will be discarded and a 278.Vt "struct sockcred" 279will be included. 280.Pp 281Many setuid programs will 282.Xr write 2 283data at least partially controlled by the invoker, 284such as error messages. 285Therefore, a message accompanied by a particular 286.Fa sc_euid 287value should not be trusted as being from that user. 288.It Dv LOCAL_CONNWAIT 289Used with 290.Dv SOCK_STREAM 291sockets, this option causes the 292.Xr connect 2 293function to block until 294.Xr accept 2 295has been called on the listening socket. 296.It Dv LOCAL_PEERCRED 297Requested via 298.Xr getsockopt 2 299on a 300.Dv SOCK_STREAM 301socket returns credentials of the remote side. 302These will arrive in the form of a filled in 303.Vt xucred 304structure, defined in 305.In sys/ucred.h 306as follows: 307.Bd -literal 308struct xucred { 309 u_int cr_version; /* structure layout version */ 310 uid_t cr_uid; /* effective user id */ 311 short cr_ngroups; /* number of groups */ 312 gid_t cr_groups[XU_NGROUPS]; /* groups */ 313 pid_t cr_pid; /* process id of the sending process */ 314}; 315.Ed 316The 317.Vt cr_version 318fields should be checked against 319.Dv XUCRED_VERSION 320define. 321.Pp 322The credentials presented to the server (the 323.Xr listen 2 324caller) are those of the client when it called 325.Xr connect 2 ; 326the credentials presented to the client (the 327.Xr connect 2 328caller) are those of the server when it called 329.Xr listen 2 . 330This mechanism is reliable; there is no way for either party to influence 331the credentials presented to its peer except by calling the appropriate 332system call (e.g., 333.Xr connect 2 334or 335.Xr listen 2 ) 336under different effective credentials. 337.Pp 338To reliably obtain peer credentials on a 339.Dv SOCK_DGRAM 340socket refer to the 341.Dv LOCAL_CREDS 342socket option. 343.El 344.Sh SEE ALSO 345.Xr connect 2 , 346.Xr dup 2 , 347.Xr fcntl 2 , 348.Xr getsockopt 2 , 349.Xr listen 2 , 350.Xr recvmsg 2 , 351.Xr sendto 2 , 352.Xr setsockopt 2 , 353.Xr socket 2 , 354.Xr CMSG_DATA 3 , 355.Xr intro 4 356.Rs 357.%T "An Introductory 4.3 BSD Interprocess Communication Tutorial" 358.%B PS1 359.%N 7 360.Re 361.Rs 362.%T "An Advanced 4.3 BSD Interprocess Communication Tutorial" 363.%B PS1 364.%N 8 365.Re 366