sockets: implement WithAdditionalUsersAndGroups for windows by thaJeztah · Pull Request #139 · docker/go-connections

thaJeztah · 2025-08-04T21:43:44Z

depends on / stacked on sockets: make NewUnixSocket, WithChown, WithChmod unix-only #138

Implement a WithAdditionalUsersAndGroups (windows daemon allows
specifying multiple additional users and groups for named pipes
and unix-sockets).
Implement NewUnixSocket that accepts (optional) additional users
and groups.

Partially based on https://github.com/moby/moby/blob/6b45c76a233b1b8b56465f76c21c09fd7920e82d/daemon/listeners/listeners_windows.go#L53-L80

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

thaJeztah · 2025-08-04T23:13:59Z

Looks like the tests were skipped on Windows;

--- PASS: TestInmemSocket (0.00s)
=== RUN   TestUnixSocketWithOpts
--- PASS: TestUnixSocketWithOpts (0.00s)
=== RUN   TestNewUnixSocket
    unix_socket_windows_test.go:20: requires root
--- SKIP: TestNewUnixSocket (0.00s)
=== RUN   TestNewUnixSocketUnknownGroup
    unix_socket_windows_test.go:36: requires root
--- SKIP: TestNewUnixSocketUnknownGroup (0.00s)
PASS
ok  	github.com/docker/go-connections/sockets	0.026s
=== RUN   TestConfigServerTLSFailsIfUnableToLoadCerts

thaJeztah · 2025-08-05T09:22:25Z

=== RUN   TestNewUnixSocket
    unix_socket_windows_test.go:32: listen unix /tmp/test.sock: bind: A socket operation encountered a dead network.

thaJeztah · 2025-08-05T10:06:59Z

+	socketPath := filepath.Join(os.TempDir(), "test.sock")
+	defer func() { _ = os.Remove(socketPath) }()
+
+	l, err := NewUnixSocket(socketPath, []string{group})


"Progress" previously we got;

=== RUN TestNewUnixSocket unix_socket_windows_test.go:32: listen unix /tmp/test.sock: bind: A socket operation encountered a dead network.

I changed the fixed /tmp/test.sock to use os.TempDir(), and now I get;

=== RUN TestNewUnixSocket unix_socket_windows_test.go:88: The parameter is incorrect.

Possibly the path is too long? Or must it use unix conventions (/somewhere/foo.sock), and not a Windows file path (C:\somewhere\foo.sock)?

thaJeztah · 2025-08-05T10:22:42Z

UGH back to the drawing board; some digging (to be verified) that unix sockets on Windows are always virtual, so there's no file, and no permissions to set. So there's no option to control access?

thaJeztah · 2025-08-05T10:28:11Z

Hm... so AI was dreaming that up; https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/

Unix sockets provide a mechanism for secure communication. Communication over unix sockets can be secured by controlling the file (or directory) permissions on the pathname sockets (or the parent directory). For example, the bind socket API creates a ‘socket’ file with the given pathname. The creation of the new socket file will fail if the calling process does not has write permission on the directory where the file is being created. Similarly, for connecting to a stream socket, the connecting process should have write permission on the socket. The same level of security is available and enforced on the Windows unix socket implementation. See the man page on AF_UNIX for more details on the security.

austinvazquez · 2025-08-06T20:07:14Z

+		return windows.SetNamedSecurityInfo(
+			path,
+			windows.SE_FILE_OBJECT,
+			windows.DACL_SECURITY_INFORMATION|windows.OWNER_SECURITY_INFORMATION,


From debugging, if we are not specifying an owner then we should exclude OWNER_SECURITY_INFORMATION from security information here.

The thing I was unsure is if this is additive or do we need to apply the owner/group from the security descriptor?

austinvazquez · 2025-08-06T20:09:48Z

+			windows.SE_FILE_OBJECT,
+			windows.DACL_SECURITY_INFORMATION|windows.OWNER_SECURITY_INFORMATION,
+			nil, // do not change the owner
+			nil, // do not change the owner


- Implement a WithAdditionalUsersAndGroups (windows daemon allows specifying multiple additional users and groups for named pipes and unix-sockets). - Implement a WithBasePermissions() option for windows - Implement NewUnixSocket that accepts (optional) additional users and groups. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah · 2025-12-01T13:30:47Z

superseded by #149

thaJeztah force-pushed the windows_unix_socket_permissions branch from 90df6c7 to 91e50f6 Compare August 4, 2025 21:59

thaJeztah force-pushed the windows_unix_socket_permissions branch from 91e50f6 to 6e7bde7 Compare August 5, 2025 09:20

thaJeztah force-pushed the windows_unix_socket_permissions branch 3 times, most recently from 951cd84 to 2ea4420 Compare August 5, 2025 09:48

thaJeztah commented Aug 5, 2025

View reviewed changes

thaJeztah force-pushed the windows_unix_socket_permissions branch from 2ea4420 to a465fac Compare August 5, 2025 10:09

thaJeztah mentioned this pull request Aug 5, 2025

sockets: make NewUnixSocket, WithChown, WithChmod unix-only #138

Merged

austinvazquez reviewed Aug 6, 2025

View reviewed changes

thaJeztah force-pushed the windows_unix_socket_permissions branch from a465fac to 7c22d0d Compare October 28, 2025 07:49

chelnak mentioned this pull request Oct 28, 2025

sockets: implement WithAdditionalUsersAndGroups for windows #149

Merged

vvoland closed this in #149 Dec 1, 2025

thaJeztah deleted the windows_unix_socket_permissions branch December 1, 2025 13:30

thaJeztah mentioned this pull request Feb 19, 2026

sys, dialer: support AF_UNIX sockets on Windows containerd/containerd#12921

Draft

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sockets: implement WithAdditionalUsersAndGroups for windows#139

sockets: implement WithAdditionalUsersAndGroups for windows#139
thaJeztah wants to merge 1 commit intodocker:mainfrom
thaJeztah:windows_unix_socket_permissions

thaJeztah commented Aug 4, 2025 •

edited

Loading

Uh oh!

thaJeztah commented Aug 4, 2025

Uh oh!

thaJeztah commented Aug 5, 2025

Uh oh!

thaJeztah Aug 5, 2025 •

edited

Loading

Uh oh!

thaJeztah commented Aug 5, 2025

Uh oh!

thaJeztah commented Aug 5, 2025

Uh oh!

austinvazquez Aug 6, 2025 •

edited

Loading

Uh oh!

austinvazquez Aug 6, 2025

Uh oh!

thaJeztah commented Dec 1, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

thaJeztah commented Aug 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

thaJeztah commented Aug 4, 2025

Uh oh!

thaJeztah commented Aug 5, 2025

Uh oh!

thaJeztah Aug 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Aug 5, 2025

Uh oh!

thaJeztah commented Aug 5, 2025

Uh oh!

austinvazquez Aug 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

austinvazquez Aug 6, 2025

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Dec 1, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

thaJeztah commented Aug 4, 2025 •

edited

Loading

thaJeztah Aug 5, 2025 •

edited

Loading

austinvazquez Aug 6, 2025 •

edited

Loading