Skip to content

Support clients running in AT_SECURE context#129

Merged
simo5 merged 1 commit into
gssapi:mainfrom
simo5:atsecure_clients
Jul 8, 2026
Merged

Support clients running in AT_SECURE context#129
simo5 merged 1 commit into
gssapi:mainfrom
simo5:atsecure_clients

Conversation

@simo5

@simo5 simo5 commented Jun 18, 2026

Copy link
Copy Markdown
Member

When a client application runs in a secure execution context (e.g., setuid, where getauxval(AT_SECURE) is non-zero), environment variables like GSSPROXY_SOCKET are ignored to prevent security issues.

This change allows these clients to work by automatically constructing a program-specific socket name (e.g., <default_socket>.<program_name>) when AT_SECURE is detected. The mechanism interposer now checks if this socket is accessible to decide whether to enable gssproxy. Documentation is updated to guide users on configuring the service for this specific socket.

Fixes: #127

When a client application runs in a secure execution context (e.g., setuid,
where getauxval(AT_SECURE) is non-zero), environment variables like
GSSPROXY_SOCKET are ignored to prevent security issues.

This change allows these clients to work by automatically constructing a
program-specific socket name (e.g., <default_socket>.<program_name>) when
AT_SECURE is detected. The mechanism interposer now checks if this socket is
accessible to decide whether to enable gssproxy. Documentation is updated to
guide users on configuring the service for this specific socket.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5 simo5 force-pushed the atsecure_clients branch from 5399e9a to ed6876e Compare June 18, 2026 01:00
@simo5

simo5 commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

Tested by reported and confirmed working, so ... merging.

@simo5 simo5 merged commit c92e174 into gssapi:main Jul 8, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

secure_getenv(3) makes it difficult for clients to use gss-proxy with SELinux and domain transitions due to AT_SECURE flag

1 participant