Thank you all for your replies and suggestions.

I've opened related PR:

https://pagure.io/gssproxy/pull-request/240

Please, take a look.

Thank you.

Levin Stanislav <slev@altlinux.org> writes:

It seems that works, but there is an error message:

```
gssproxy[9862]: Unexpected failure in realpath: 13 (Permission denied)
```

Which come from:

```

lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
lstat("/proc/4054", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
lstat("/proc/4054/exe", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
readlink("/proc/4054/exe", 0x7ffe7dbf5ee0, 4095) = -1 EACCES (Permission
denied)

```

As I understood from man page and code a canonical path to a program is
used to whether allow service access to gssproxy or not.

The pattern 'program = /a/b/c' will not work in such a case because
"program" pointer is always 0x0.

Correct.  We default-deny - if the user wants program matching and we
can't provide it because they've blocked it in the OS, there's nothing
else we can do.

See Alexander's reply for how to enable gssproxy's permissions.

Thanks,
--Robbie

_______________________________________________
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org
To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/gss-proxy@lists.fedorahosted.org