How can I pass user credentials through a Unix-domain socket on Mac OS X?

Question

Under many operating systems Unix-domain sockets allow a process to reliably pass its credentials to another process in a way that can't be maliciously subverted. For instance, this is done on Linux through the SO_PASSCRED and SO_PEERCRED options, on FreeBSD by passing messages that include the cmsgcred structure, and on NetBSD by setting the LOCAL_CREDS option. However, I haven't been able to find a way to perform this operation under Mac OS X. The corresponding header (socket.h) seems to have the functionality disabled for Apple's build.

#if !defined(_POSIX_C_SOURCE) || defined(_DARWIN_C_SOURCE)
#ifndef __APPLE__
// ...
struct cmsgcred {

Any idea of another Mac OS X facility that can accomplish the same result?

score 7 · Accepted Answer · answered Dec 11 '08 at 15:46

7

I haven't ever worked with it, but I think you're looking for LOCAL_PEERCRED. ( see man unix)

You can confirm the identity of the program at the other end of the socket using the LOCAL_PEERCRED socket option, introduced in Mac OS X 10.4.

See Technical Note TN2083. Daemons and Agents

answered Dec 11 '08 at 15:46

diciu

29,133
4
51
68

Indeed, following your pointer, I found the option documented in unix(4). Thanks! – Diomidis Spinellis Dec 11 '08 at 16:16

score 5 · Answer 2 · answered Dec 11 '08 at 16:47

5

Even better, thanks to the accepted answer, I found that getpeereid(), directly returns the required data.

answered Dec 11 '08 at 16:47

Diomidis Spinellis

18,734
5
61
83

How can I pass user credentials through a Unix-domain socket on Mac OS X?

2 Answers2

Linked