CESNET · michalvasko · Nov 28, 2025 · Nov 26, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/doc/libnetconf.doc b/doc/libnetconf.doc
@@ -304,8 +304,8 @@
  * - ::nc_server_set_capab_withdefaults()
  * - ::nc_server_set_capability()
  * - ::nc_server_endpt_count()
- * - ::nc_server_add_endpt_unix_socket_listen()
- * - ::nc_server_del_endpt_unix_socket()
+ * - ::nc_server_set_unix_socket_path()
+ * - ::nc_server_get_unix_socket_path()
  *
  * Server Configuration
  * ===
@@ -383,7 +383,7 @@
  * You may create this data yourself or by using ::nc_server_config_add_ssh_hostkey().
  *
  * It is important to decide whether the users that can connect to the SSH server should be obtained from the configuration or from the system.
- * If the YANG feature *local-users-supported* is enabled (the default), then the authorized users are derived from the configuration. 
+ * If the YANG feature *local-users-supported* is enabled (the default), then the authorized users are derived from the configuration.
  * When a client connects to the server, he must be found in the configuration and he must authenticate to **all** of his configured authentication methods.
  * If the feature is disabled, then the system will be used to try to authenticate the client via one of the three
  * methods - publickey, keyboard-interactive or password (only one of them has to succeed).
@@ -493,6 +493,33 @@
  * - ::nc_server_config_add_tls_ctn()
  * - ::nc_server_config_del_tls_ctn()
  *
+ * UNIX Socket
+ * ===========
+ *
+ * A UNIX socket endpoint can be established using one of two mechanisms:
+ *
+ * 1) **Standard Filesystem Path**: The filesystem path is explicitly stored in the configuration.
+ * To use this, pass a valid path string to ::nc_server_config_add_unix_socket().
+ *
+ * 2) **Hidden Path**: The filesystem path is managed via the API and is not visible
+ * in the YANG configuration. To use this, pass NULL as the path argument to
+ * ::nc_server_config_add_unix_socket(). The actual runtime path must then be set
+ * using ::nc_server_set_unix_socket_path().
+ *
+ * All UNIX sockets require a designated base directory for their creation.
+ * This directory must be set using ::nc_server_set_unix_socket_dir().
+ * A base directory must be set to create any UNIX socket.
+ * All socket paths will be relative to this base directory.
+ *
+ * Security Recommendation
+ * -----------------------
+ * The **Hidden Path** (Option 2) is strongly recommended.
+ *
+ * If standard paths are enabled, any user with permission to modify the server
+ * configuration can change the UNIX socket path via YANG. This allows them to
+ * force the server to create or overwrite arbitrary files in a subdirectory
+ * set by ::nc_server_set_unix_socket_dir() with the privileges of the server process.
+ *
  * FD
  * ==
  *

diff --git a/examples/server.c b/examples/server.c
@@ -235,13 +235,19 @@ init(const char *unix_socket_path, struct ly_ctx **context, struct nc_pollsessio
         ERR_MSG_CLEANUP("Error while parsing the example configuration data.\n");
     }
 
-    /* add UNIX socket to the configuration tree if the path was specified */
     if (unix_socket_path) {
+        /* add UNIX socket endpoint to the configuration tree if the path was specified */
         rc = nc_server_config_add_unix_socket(*context, "unix-socket-endpt",
-                unix_socket_path, NULL, NULL, NULL, &config);
+                NULL, NULL, NULL, NULL, &config);
         if (rc) {
             ERR_MSG_CLEANUP("Creating UNIX socket endpoint configuration failed.\n");
         }
+
+        /* use the specified path for the UNIX socket endpoint */
+        rc = nc_server_set_unix_socket_path("unix-socket-endpt", unix_socket_path);
+        if (rc) {
+            ERR_MSG_CLEANUP("Setting UNIX socket path failed.\n");
+        }
     }
 
     /* since nc_server_config_setup_data() requires all implicit nodes to be present and the example

diff --git a/modules/libnetconf2-netconf-server@2025-11-11.yang b/modules/libnetconf2-netconf-server@2025-11-11.yang
@@ -51,6 +51,13 @@ module libnetconf2-netconf-server {
     description "Second revision.";
   }
 
+  // Features
+
+  feature unix-socket-path {
+    description
+      "Indicates that the server supports configuration of the UNIX socket path.";
+    }
+
   // Identities
 
 /*
@@ -310,17 +317,32 @@ module libnetconf2-netconf-server {
            and listen for incoming NETCONF connections. Client authentication
            is based on the connecting process's effective user ID.";
 
-        leaf path {
-          type string {
-            length "1..107";
-          }
+        choice socket-path-config {
           mandatory true;
           description
-            "Filesystem path where the UNIX socket will be created.
-             The parent directory
-             must exist and be writable by the NETCONF server process.
+            "Selects how the UNIX domain socket path is determined.";
+          case socket-path {
+            if-feature "unix-socket-path";
+            leaf socket-path {
+              type string {
+                length "1..107";
+              }
+              description
+                "Relative filesystem path where the UNIX socket will be bound.
+                 The parent directory must be set by an internal server API setting.
+                 The final resolved path must be within the configured parent directory.
 
-             Example: /var/run/netconf.sock";
+                 Example: netconf.sock";
+            }
+          }
+          case hidden-path {
+            leaf hidden-path {
+              type empty;
+              description
+                "Indicates that the UNIX socket path is not configured via YANG, but is instead
+                 determined by internal server API settings.";
+            }
+          }
         }
 
         container socket-permissions {