Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 8.3.0-rc0, 8.0.23
Affects Version/s: None
Component/s: None
Labels:
None

Assigned Teams:

Networking & Observability
Backwards Compatibility:
Fully Compatible
Backport Requested:

v8.0, v7.0
Sprint:
N&O 2026-03-02, N&O 2026-03-16
Linked BF Score:
200
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

When a client connects over the proxy Unix Domain Socket, we must validate that it corresponds to a trusted client if the unixProxySocketCheckPermissions parameter is enabled. We may do this by inspecting its SO_PEERCRED object. A trusted client possesses the same UID as the Server, proving that it has access to the same on-disk secrets as the server.

We should reject all would-be clients of the proxy UDS.

depends on

SERVER-117933 Implement a "proxy" unix domain socket

Closed

SERVER-119261 Add unixProxySocketPrefix parameter and create unix socket

Closed

is depended on by

SERVER-121216 Update proxyUnixSocketCheckPermissions parameter to check GID instead of UID

Closed

is duplicated by

SERVER-118899 Add unixProxySocketEnforceUIDChecks parameter and checks

Closed

related to

SERVER-121547 Proxy unix socket peer check fails to build on Mac

Closed

Assignee:: Sergei Bazhenov
Reporter:: Spencer Jackson
Participants:: Githook User, Sergei Bazhenov, Spencer Jackson
Votes:: 0 Vote for this issue
Watchers:: 3 Start watching this issue

Created:: Jan 27 2026 11:17:35 PM UTC
Updated:: Apr 27 2026 10:45:56 PM UTC
Resolved:: Mar 12 2026 09:57:47 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates