Fork me on GitHub

Peer Credentials

Unix Domain sockets enables a simple two-way authentication to ensure the other end is entitled to communicate.

A call to AFUNIXSocket#getPeerCredentials() returns an object with information about the peer (the other end).

NOTE: Depending on your operating system, not all properties are available (and therefore null or -1).

AFUNIXSocket socket = ...

// Once the socket is connected, you can obtain the credentials:
AFUNIXSocketCredentials credentials = socket.getPeerCredentials();

credentials.getPid(); // Returns the PID (Process ID), -1 means "could not retrieve".
credentials.getUid(); // Returns the UID (User ID), 0 means "root", -1 means "could not retrieve".
credentials.getGids(); // Returns the GIDs (Group IDs), the first one is the "primary" GID, null means "could not retrieve".
credentials.getGid(); // Returns the primary GIDs (Group ID), same as the first entry in getGids(); -1 means "could not retrieve".
credentials.getUUID(); // Returns the process binary's unique ID, null means "could not retrieve"

LIMITATION: The UUID is currently only supported on macOS. It is the identifier created by the linker, which means it may change upon recompilation, but should remain stable otherwise.

You can use otool to inspect the UUID for a binary: otool -l <path-to-binary> | grep uuid

IMPORTANT: All Java programs using the same JVM binary share the same UUID.

Authenticating RMI connections with Peer Credentials

junixsocket-rmi not only allows RMI connections over AF_UNIX sockets, it also makes it very easy to authenticate these connections with the help of peer credentials:

// Returns the peer credentials of a client calling our RMI method
// Helps answering the question "is the caller authorized"?
AFUNIXSocketCredentials credentials = RemotePeerInfo.remotePeerCredentials();

// Returns the peer credentials of a server providing the given remote object
// Helps answering the question "is the service trusted"?
AFUNIXSocketCredentials credentials = RemotePeerInfo.remotePeerCredentials(someRemoteObject);

Not supported by all platforms

Not all platforms support file descriptors over AF_UNIX. Make sure they’re available using

AFUNIXSocket.supports(AFUNIXSocketCapability.CAPABILITY_PEER_CREDENTIALS).