Sockets and Network Connections

Sockets are used for communication, especially on the network. Sockets were initially developed by the BSD branch of the UNIX system, but are now generally ported to other Unix-like systems: Linux and System V variants also support sockets, and the single UNIX specification that supports sockets is open Group [open Group 1997 ] is required. System V systems traditionally use a different (incompatible) network communication interface, but this is not worth mentioning for systems like Solaris that include socket support. The socket (2) creates a communication endpoint and returns a descriptor similar to the operation of the Open (2) file. The parameters of the socket specify the protocol family and type, such as Internet domain (TCP/IPV4), Novell IPX, or "Unix domain." The server program generally calls bind (2), listen (2) and accept (2) or select (2), and the client typically calls bind (2) (although it may be omitted) and connect (2). See the appropriate man help page for more information on these routines. It may be difficult to understand how to use sockets through the corresponding man help page, and it may be necessary to refer to the literature of Hall's "Beej" [1999] to learn if these calls are used together.

UNIX domain sockets do not actually represent a network protocol; they can only be connected to sockets on the same machine. (in the current case of writing this article for the standard Linux kernel). When used as a stream, they are very similar to named pipes, and the advantages are obvious. In particular, UNIX domain sockets are connection-oriented; each new connection to the socket produces a new communication pipe, which is completely different from the named pipe. It is because of this feature that UNIX domain sockets are often used to implement IPC in many important services instead of named pipes. Just as you can have an unnamed pipe, you can use Socketpair (2) to get a non-named UNIX domain socket; Similarly, an unnamed UNIX domain socket is useful for IPC, as is an unnamed pipe.

UNIX domain sockets have several interesting security implications. First, although UNIX domain sockets can appear in the file system and can be used with stat (2), they cannot be opened with open (2) (Only sockets (2) and friendly interfaces). Second, UNIX domain sockets can be used to pass a file descriptor between processes (not just the contents of a file). This peculiar ability, which is not provided by other IPC mechanisms, is used to crack all specifications (descriptors can basically be used as "capabilities" in the limited version of computer science). The file descriptor is sent with sendmsg (2), where the Msg_control field of MSG (message) points to an array of control headers (the Msg_controllen field must specify the number of bytes included in the array). Each control message is a CMSGHDR structure with data that requires the Cmsg_type to be set to scm_rights for this purpose. The file descriptor is obtained by RECVMSG (2) and then passed down in a similar way. Frankly speaking, this feature style is a bit of a fantasy, but it's worth knowing.

Linux 2.2 supports an additional feature of UNIX domain sockets: You can get the End-to-end "trustworthy Proof" (PID, UID, and GID). The following is a code example:

/* fd= file descriptor of Unix domain socket connected
to the client you wish to identify */
struct ucred cr;
int cl=sizeof(cr);
if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &cl)==0) {
printf("Peer's pid=%d, uid=%d, gid=%d\n",
cr.pid, cr.uid, cr.gid);

The standard UNIX convention requires root permission to bind a number less than 1024 as a TCP and UDP local port number, and any process can bind to an unconstrained port number greater than or equal to 1024. Linux follows this convention, and more specifically, to bind a port number less than 1024, Linux requires that the process be cap_net_bind_service capable; typically this capability is only available for processes with euid 0. Readers who want to know more are able to view the corresponding source code under Linux, and in Linux 2.2.12 the/USR/SRC/LINUX/NET/IPV4/AF_INET.C function in the file Inet_bind ().