我正在使用 C 中的 UNIX 套接字开发服务器。来自手册:
In the Linux implementation, sockets which are visible in the filesystem honor the per‐ missions of the directory they are in. Their owner, group and their permissions can be changed. Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in. Connecting to the socket object requires read/write permission. This behavior differs from many BSD- derived systems which ignore permissions for UNIX domain sockets. Portable programs should not rely on this feature for security.
我有一条世界可写的路径。
$ ls -ld api
drwxrwxrwx 2 root www-data 4096 Feb 15 21:57 api
root 下的进程在此路径中创建套接字:
$ ls -l api/socket
srwxr-xr-x 1 root root 0 Feb 15 21:57 api/socket
由于权限问题,作为用户运行的另一个进程无法连接到套接字。如果我手动将套接字权限更改为所有人都可写,那么其他进程就可以成功连接。
- 为什么父权限不足以使套接字像文档所说的那样可写?
- 在这种情况下,最佳做法是什么?
最佳答案
<强>1。为什么父权限不足以使套接字像文档所说的那样可写?
Connecting to the socket object requires read/write permission.
父权限只与新套接字的创建有关,这就是文档所说的全部内容:
Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in.
您可以随意让您的套接字可写:
Their owner, group and their permissions can be changed.
<强>2。在这种情况下,最佳做法是什么?
创建一个套接字,并使其成为用户的 (man 2 chown)。或者创建一个套接字,并使其可写(man 2 chmod)。
关于c - UNIX 套接字权限 (Linux),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35424970/