Product SiteDocumentation Site

16.3. UNIX domain socket authentication

UNIX domain sockets (with address family AF_UNIX or AF_LOCAL) are restricted to the local host and offer a special authentication mechanism: credentials passing.
Nowadays, most systems support the SO_PEERCRED (Linux) or LOCAL_PEERCRED (FreeBSD) socket options, or the getpeereid (other BSDs, MacOS X). These interfaces provide direct access to the (effective) user ID on the other end of a domain socket connect, without cooperation from the other end.
Historically, credentials passing was implemented using ancillary data in the sendmsg and recvmsg functions. On some systems, only credentials data that the peer has explicitly sent can be received, and the kernel checks the data for correctness on the sending side. This means that both peers need to deal with ancillary data. Compared to that, the modern interfaces are easier to use. Both sets of interfaces vary considerably among UNIX-like systems, unfortunately.
If you want to authenticate based on supplementary groups, you should obtain the user ID using one of these methods, and look up the list of supplementary groups using getpwuid (or getpwuid_r) and getgrouplist. Using the PID and information from /proc/PID/status is prone to race conditions and insecure.