Is it possible to access a Unix socket over the network?

The documentation of the Linux sandboxing application firejail says

whenever we are dealing with X11 we also need to install a new network namespace. This is the only way to block access to the abstract Unix socket opened by the main X11 server already running on your box

This suggests that it is possible to connect to Unix socket over a network interface only, i.e. without actually being able to open it as a file on the filesystem. This seems rather strange to me. Doesn’t it completely defeat the purpose of permissioning Unix domain sockets as files? Is it really possible to access an X server’s socket without being able to access the filesystem?

Asked By: Tom Ellis


… block access to the abstract Unix socket

There is a difference between a normal UNIX socket and an abstract one. The normal UNIX socket is bound to a path in the file system and the access permissions of this path define the access permissions for the socket.

An abstract UNIX socket instead is independent from the filesystem. The addresses for these sockets live in their own space which is reachable from other processes on the local machine but not from outside the machine.

Answered By: Steffen Ullrich

I am going to answer the actual question (the one in headline that google is giving link to when searching for answer, not your X11 remark).

Yes – it is possible to access UNIX socket file over the network. You need to use tool called socat, it can be easily installed using package manager and is available on almost all popular distributions (apt-get install socat / yum install socat).

Then you need to create a listener on server:

socat TCP-LISTEN:6644,reuseaddr,fork UNIX-CONNECT:/path/to/socket/file

And on client you need to create the socket file using this command:

socat UNIX-LISTEN:/tmp/remote_socket,fork,reuseaddr,unlink-early,user=file_owner,group=file_group,mode=770 TCP:

This will make socket file on host available over network using port 6644. New socket file remote_socket will be created on client. When you write / read this socket file you will actually talk to socket file on remote server using network.

Answered By: Petr
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.