简体繁体 English

如何在命名管道上传输文件描述符

[英]How can I transfer a filedescriptor over a named pipe

原文 2016-06-01 09:22:26 7 1 c/ linux/ named-pipes/ file-descriptor

My goal is to create a concept for daemons which interact locally (ie not via network) with other processes, all with different user ids/rights. 我的目标是为守护程序创建一个概念，该守护程序与其他进程在本地（即不通过网络）进行交互，所有进程都具有不同的用户ID /权限。

To restrict access to the daemons to processes with the right access levels, I throught of the following concept: 为了将对守护程序的访问限制为具有正确访问级别的进程，我提出以下概念：

Each daemon opens a named pipe for reading in /foo/{daemon-name} 每个守护程序都会打开一个命名管道，以读取/foo/{daemon-name}
The access to that named pipe can be easily managed via normal file access rights, so other processes not in the correct user group will have no write access to the pipe 可以通过普通的文件访问权限轻松管理对命名管道的访问，因此，不在正确用户组中的其他进程将没有对该管道的写访问权限
changing access rights to the daemon later is easily done without the need to recompile 以后可以轻松更改对守护程序的访问权限，而无需重新编译
a process that wants to communicate with the daemon sends one end of a socketpair() via the named pipe and communication continues over that link 想要与守护程序通信的进程通过命名管道发送socketpair()一端，并且通信继续通过该链接进行

That way, each dameon could implement their own API or packet format to communicate via the socketpair. 这样，每个dameon都可以实现自己的API或数据包格式，以通过套接字对进行通信。 But there would be no need for authentication and such because the access rights to the named pipe already took care of only a specific group being able to send the socketpair to communicate over. 但是这样就不需要身份验证了，因为对命名管道的访问权限仅负责特定组能够发送套接字对进行通信。

Now the only problem I have is that I can't get the transfer of the socketpair() file descritor to work over the named pipe. 现在，我唯一的问题是我无法传输socketpair()文件描述符来在命名管道上工作。 sendmsg() apparently does not work on named pipes. sendmsg()显然不适用于命名管道。

How can I send one of the socketpair() fds via the named pipe so that the daemon can access the connection and start communicating? 如何通过命名管道发送一个socketpair() fds，以便守护程序可以访问该连接并开始通信？

1 个解决方案

A named pipe won't work for what you want to do - the pipe retains no information regarding where the data in it came from. 命名管道无法满足您的需求-管道不保留有关数据来自何处的信息。 It's a pipe for raw data bits, not a connection like a socket that retains a lot more information about where the data came from and where it's going. 它是原始数据位的管道，而不是像套接字这样的连接，该连接保留了有关数据的来源和去向的更多信息。

Unix-domain sockets and named pipes are not the same - they have different capabilities. Unix域套接字和命名管道不同-它们具有不同的功能。 Unix-domain sockets can be used to send file descriptors between processes, named pipes can't. Unix域套接字可用于在进程之间发送文件描述符，而命名管道则不能。 Why they have been implemented that way is another question. 为什么以这种方式实施它们是另一个问题。

Since you're trying to create a socket connection between your daemon and client processes, just use Unix-domain sockets to get such a connection directly. 由于您正在尝试在守护程序和客户端进程之间创建套接字连接，因此只需使用Unix域套接字即可直接获得此类连接。 File system permissions work with Unix-domain sockets just as they do for named pipes. 文件系统权限与Unix域套接字一起使用，就像它们对命名管道一样。