Description

While this looks like an odd use case, unix socket are actually quite useful to add access control to a socket interface (something that cannot be done easily with TCP connexions).

Issues with the current implementation

• in the Dsn class, parse_url() cannot be used to parse unix:// URI (or anything in the form of scheme:///path/to/something unless scheme === "file") which prevent the use of this function to get information about a unix socket URI. It is quite straigntforward to implement a parse_url() like function which is able to understand the URI.

• the Dsn class requires a host and unix socket does not have one (it has a path). Some generalization might be needed here

• the SocketStream class require a host and a port - none of them exist when dealing with a unix domain socket.

Example

Consider this socat tunnel :

socat \
  UNIX-LISTEN:/var/run/mail-socket,user=mail,group=mail,mode=700 \
  OPENSSL:mail.example.com:625,method=TLS1.2,verify=1,cert=/root/cert.pem,cafile=/root/ca.pem

When run as root, this tunnel connects a TLS 1.2 server (with server and client verification ; both the cert and the ca are only readable by root:root) to a unix socket which is only accessible to user mail from group mail.

Using such construct allows an administrator to easily identify and control who is sending a specific mail while still maintaining the security of his platform.