On this page
Sockets
The subsystem exposes three Unix-domain sockets. All three MUST be
SOCK_SEQPACKET: this is required for the kernel peer-token capture
(§6.2) — datagram and socketpair sockets yield no peer token — and it
provides message framing and SCM_RIGHTS fd passing.
| Socket | Owner / listener | Purpose | Connect access |
|---|---|---|---|
/run/authd.sock |
authd | Client door: Logon and source-transparent requests (§6.3) | Authenticated Users + SYSTEM/services |
/run/authd/sources/<source>.sock |
the source (e.g. lpsd → …/lpsd.sock) |
Verify/resolve interface (§4, §5.1) | authd only |
/run/lpsd.sock |
lpsd | Administration interface (§7.2) | Administrators + SYSTEM (+ Authenticated Users for self-service) |
The connect-access column lists the allow-ACE SIDs; the exact security
descriptor for each socket — allow-ACEs by SID, deny by absence — and for
the /run/authd/sources/ directory is given in §9. Sockets are created
so that access is governed by the SD, not by POSIX permission bits.
§6.1.1 The source registry
/run/authd/sources/ is a source registry: each principal source
registers by creating its verify/resolve socket there. authd discovers
the available sources by enumerating this directory and connects to
each. A domain source registers as /run/authd/sources/adpsd.sock. Because
authd connects out to whatever sockets appear here and then trusts the
identities they resolve (§5.2), this channel MUST be protected in both
directions:
- The directory's own SD (defined in §9) MUST restrict entry creation to
the specific trusted source identities (e.g. only lpsd's service SID may
create
lpsd.sock), and socket creation MUST be exclusive so an impostor cannot pre-create or recreate a source's socket (e.g. in the window before the source starts or after it crashes). - authd MUST authenticate every source it connects to: obtain the source socket's owner identity and verify it against an expected-identity allowlist (the mirror of the source checking the peer is authd), and refuse any source socket not owned by its expected identity.
Without the second control, a rogue process that won the race to create a source socket would become a source — minting arbitrary identities and harvesting every cleartext credential authd forwards (§6.2.5). The verify/resolve sockets MUST also be connectable only by authd (per-request peer-token check of §6.2). All of these are mandatory.
§6.1.2 Two-layer authorization
Access is enforced in two layers:
- The connect SD on each socket (the table above) — coarse control
over who may
connect()at all. - Per-request authorization against the peer token (§6.2) — the fine-grained gate that actually decides each request (§6.3).
The per-request gate is the real enforcement; the connect SD is defence-in-depth. In particular, the verify/resolve interface MUST additionally check that the connected peer is authd, not rely on the connect SD alone.