Authenticating clients with the Multipass service

[since version 1.9.0]
Work in progress

Multipass requires clients to be authenticated with the service before allowing commands to complete. How this authentication is accomplished depends of few factors.

Linux and macOS hosts

Linux and macOS hosts currently use a Unix domain socket for client and daemon communication. This socket only allows a client to connect via a user who belongs to the particular group the socket is owned by. For example, this group could be sudo, admin, or wheel and the user needs to belong to this group or else permission will be denied when connecting.

New methodology

With the authentication change, the socket will still be set as mentioned above until the first client connects at which point the socket will be open for all users to connect. This first client includes both the CLI and GUI, ie, tray, clients for the user. Any other user trying to connect to the Multipass service will need register with the service.

Windows hosts

The Windows host uses a TCP socket listening in port 50051 for client connections. This socket is open for all to use since there is no concept of file ownership for TCP sockets.