Thank you all for your replies and suggestions.
I've opened related PR:
https://pagure.io/gssproxy/pull-request/240
Please, take a look.
Thank you.
Levin Stanislav <slev@altlinux.org> writes:It seems that works, but there is an error message: ``` gssproxy[9862]: Unexpected failure in realpath: 13 (Permission denied) ``` Which come from: ``` lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 lstat("/proc/4054", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 lstat("/proc/4054/exe", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0 readlink("/proc/4054/exe", 0x7ffe7dbf5ee0, 4095) = -1 EACCES (Permission denied) ``` As I understood from man page and code a canonical path to a program is used to whether allow service access to gssproxy or not. The pattern 'program = /a/b/c' will not work in such a case because "program" pointer is always 0x0.Correct. We default-deny - if the user wants program matching and we can't provide it because they've blocked it in the OS, there's nothing else we can do. See Alexander's reply for how to enable gssproxy's permissions. Thanks, --Robbie
_______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/gss-proxy@lists.fedorahosted.org