Difference between revisions of "Proxy file handling in gLExec"
(59 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
The environment variables of interest are: | The environment variables of interest are: | ||
* GLEXEC_CLIENT_CERT | * GLEXEC_CLIENT_CERT | ||
+ | * X509_USER_PROXY | ||
* GLEXEC_SOURCE_PROXY | * GLEXEC_SOURCE_PROXY | ||
* GLEXEC_TARGET_PROXY | * GLEXEC_TARGET_PROXY | ||
− | + | ||
+ | '''''Note''''': do ''NOT'' forget to '''export'''/'''setenv''' these variables, so that they are known to gLExec. | ||
== GLEXEC_CLIENT_CERT == | == GLEXEC_CLIENT_CERT == | ||
− | gLExec | + | gLExec uses this (proxy) certificate as input to know who to authorize and to which account a mapping must be done. |
+ | |||
+ | In a Multi User Pilot Job (MUPJ) environment this is a proxy with the identity of the payload user. | ||
The GLEXEC_CLIENT_CERT | The GLEXEC_CLIENT_CERT | ||
− | * Contains | + | * Contains an absolute file path to the proxyfile. Note: "/dir/subdir/../subdir2/proxy" is allowed. |
− | * | + | * The proxyfile MUST contain a public and private key pair. |
− | * | + | * The proxyfile MUST be readable by the user account calling gLExec. |
− | * | + | |
− | * | + | === File permissions === |
− | + | ||
+ | The file permissions of the file must meet the following: | ||
+ | * The proxyfile MUST be owned by the account that calls gLExec. In pilot job framework use cases: owned by the pilot user | ||
+ | * The proxyfile MUST NOT exceed the file permissions of 0700 which means readable, writeable or executable explicitly for the user of the file. Groups, others and special bits are not allowed. | ||
− | === Troubleshooting hints === | + | === Troubleshooting hints for version < 0.6.9 === |
When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with gLExec's input, in particular the absence of a usable GLEXEC_CLIENT_CERT: | When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with gLExec's input, in particular the absence of a usable GLEXEC_CLIENT_CERT: | ||
Line 27: | Line 34: | ||
glexec[10301]: lcas.mod-lcas_run_va(): failed | glexec[10301]: lcas.mod-lcas_run_va(): failed | ||
− | As a result of not being able to present tokens to be authorized, the gLExec tool will exit with a 203 exit code. This indicates that the authorization of the user has failed. | + | As a result of not being able to present tokens to be authorized, the gLExec tool will exit with a 203 exit code. This indicates that the authorization of the user has failed. |
− | + | For more information on the gLExec exit code, please visit: [[Exit codes of gLExec]] | |
− | + | == X509_USER_PROXY (on the calling side) == | |
− | For the interaction with | + | The X509_USER_PROXY passes through gLExec to the SCAS client or Argus client LCMAPS plug-ins. |
+ | |||
+ | In a Multi User Pilot Job (MUPJ) environment this is a proxy with the identity of the Pilot Job Framework '''Production Manager''' a.k.a. the Pilot User. | ||
+ | |||
+ | For the interaction with a site central authorization service, such as SCAS, Argus or GUMS, these credentials are used to authenticate at the service. The actual mapping decision is based on the identity of the GLEXEC_CLIENT_CERT proxy. The credentials will be used in the policy decision at the service, but for the SCAS interaction this identity (by its VOMS credentials for instance) must be whitelisted to be able to interact with the service. The X509_USER_PROXY is used to setup the mutually authenticated secure channel to the authorization service. | ||
The X509_USER_PROXY | The X509_USER_PROXY | ||
− | * Contains | + | * Contains an absolute file path to the proxyfile. Note: "/dir/subdir/../subdir2/proxy" is allowed. |
− | * | + | * The proxyfile MUST contain a public and private key pair. |
− | * | + | * The proxyfile MUST be readable by the user account calling gLExec |
− | |||
− | |||
− | |||
=== Troubleshooting hints: using Argus === | === Troubleshooting hints: using Argus === | ||
− | When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY: | + | When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY. |
+ | |||
+ | For LCMAPS c-pep plugin version < 1.0.0 this will incorrectly lead to a gLExec exit code of 202 (misconfigured site error), instead of the correct 203 (authorization failed) exit code. This leads to the following error in the log file: | ||
lcmaps.mod-startPluginManager(): error initializing plugin: /opt/glite/lib64/modules/lcmaps_c_pep.mod | lcmaps.mod-startPluginManager(): error initializing plugin: /opt/glite/lib64/modules/lcmaps_c_pep.mod | ||
Line 51: | Line 61: | ||
Initialization of LCMAPS failed. Please check in syslog or the logfile for LCMAPS (when able to be opened) for more details | Initialization of LCMAPS failed. Please check in syslog or the logfile for LCMAPS (when able to be opened) for more details | ||
− | + | For versions ≥ 1.0.0 this behaviour is fixed, gLExec will give a 203 exit code in the absence of a usable X509_USER_PROXY. | |
+ | |||
+ | For more information on the gLExec exit codes, please visit: [[Exit codes of gLExec]] | ||
=== Troubleshooting hints: using SCAS === | === Troubleshooting hints: using SCAS === | ||
Line 61: | Line 73: | ||
lcmaps_plugin_scas_client-plugin_run(): scas client plugin failed | lcmaps_plugin_scas_client-plugin_run(): scas client plugin failed | ||
− | On the shell the exit code of gLExec will signal a 203. This indicates an authorization failure. For more information on the gLExec exit | + | On the shell the exit code of gLExec will signal a 203. This indicates an authorization failure. |
+ | |||
+ | For more information on the gLExec exit codes, please visit: [[Exit codes of gLExec]] | ||
− | == GLEXEC_SOURCE_PROXY == | + | == GLEXEC_SOURCE_PROXY (optional) == |
− | gLExec has the capability of transferring the proxy file from the calling environment to the target user's environment. The resulting file will then be accessible by the target user | + | gLExec has the capability of transferring the proxy file from the calling environment to the target user's environment. The resulting file will then be accessible by the target user. |
− | The setting is optional. If no GLEXEC_SOURCE_PROXY is present for gLExec to use, | + | ''NOTE'': in version 0.8 and higher, the transfer of the proxy file and/or the setting of the corresponding variables in the target environment can be disabled in the config file, using the ''create_target_proxy'' option. |
+ | |||
+ | The GLEXEC_SOURCE_PROXY holds the path to the proxy file that needs to be transferred. The setting is optional. If no GLEXEC_SOURCE_PROXY is present for gLExec to use, the behaviour depends on the gLExec version, see also [[#Behaviour overview|Behaviour overview]]: | ||
+ | * for version 0.6.8-3 and older, no proxy file is transferred. | ||
+ | * for version 0.7.0 and higher a default equal to GLEXEC_CLIENT_CERT is used. | ||
When the GLEXEC_SOURCE_PROXY is set: | When the GLEXEC_SOURCE_PROXY is set: | ||
− | * | + | * It contains an absolute file path to the proxyfile. Note: "/dir/subdir/../subdir2/proxy" is allowed. |
* Must be readable by the user account calling gLExec | * Must be readable by the user account calling gLExec | ||
− | |||
− | |||
− | |||
− | When the GLEXEC_TARGET_PROXY environment variable is not set, the proxy will be staged in a default location. | + | When the [[#GLEXEC_TARGET_PROXY_.28optional.29|GLEXEC_TARGET_PROXY]] environment variable is not set, the proxy will be staged in a default location which depends on the gLExec version: |
+ | * for version 0.6.8-3 and older: '''<target users $HOME>/.glexec/proxy'''. | ||
+ | * for version 0.7.0 and higher: | ||
+ | * in logging only mode no file is copied | ||
+ | * in switching/setuid mode '''/tmp/x509up_u<target users uid>.glexec.XXXXXX''' where XXXXXX will be substituted by a sequence of 6 random letters. | ||
+ | |||
+ | After a proper copying of the proxy file the '''X509_USER_PROXY''' environment variable will be set to point to the new file. | ||
+ | |||
+ | For version 0.7.0 in logging only mode without a GLEXEC_TARGET_PROXY setting, the '''X509_USER_PROXY''' environment variable will be set to point to the GLEXEC_SOURCE_PROXY or its default GLEXEC_CLIENT_CERT. | ||
+ | |||
+ | === File permissions === | ||
+ | |||
+ | The file permissions of the file must meet the following: | ||
+ | * The proxyfile MUST be owned by the account that calls gLExec. In pilot job framework use cases: owned by the pilot user | ||
+ | * The proxyfile MUST NOT exceed the file permissions of 0700 which means readable, writeable or executable explicitly for the user of the file. Groups, others and special bits are not allowed. | ||
+ | |||
+ | === Troubleshooting hints === | ||
+ | |||
+ | If the GLEXEC_SOURCE_PROXY is not set, gLExec will continue without it or with the default (see [[#GLEXEC_SOURCE_PROXY_.28optional.29|GLEXEC_SOURCE_PROXY]]) | ||
+ | |||
+ | If the GLEXEC_SOURCE_PROXY is set but not valid, for version < 0.7.0: | ||
+ | *If the GLEXEC_SOURCE_PROXY is set to a not-existing file the following message will occur on the commandline: | ||
+ | [gLExec]: The stat syscall returned with an error for either $GLEXEC_CLIENT_CERT or $GLEXEC_SOURCE_PROXY. | ||
+ | *If the GLEXEC_SOURCE_PROXY is set to an unreadable file, or to a file which is readable by more than just the user, the following message will occur on the commandline: | ||
+ | [gLExec]: Expecting a different set of permissions. | ||
+ | In all these cases the gLExec exit code will be set to 201, which indicates a user (resolvable) error. | ||
+ | |||
+ | For more information on the gLExec exit code, please visit: [[Exit codes of gLExec]] | ||
+ | |||
+ | == GLEXEC_TARGET_PROXY (optional) == | ||
+ | |||
+ | The GLEXEC_TARGET_PROXY is the full path of the location where the GLEXEC_SOURCE_PROXY is going to be written. See [[#GLEXEC_SOURCE_PROXY_.28optional.29|GLEXEC_SOURCE_PROXY]] for the behaviour when unset. Note that the default behaviour has changed between versions ≤0.6.8-3 and ≥0.7.0, see also [[#Behaviour overview|Behaviour overview]] | ||
+ | |||
+ | The path will be checked by gLExec to be assured that: | ||
+ | * The directory in which the proxy will be written is owned by the target user. | ||
+ | * Is writeable by the target user. | ||
+ | |||
+ | As a result of the proper staging of the proxy file the '''X509_USER_PROXY''' environment variable will have the same value as the set GLEXEC_TARGET_PROXY. | ||
+ | |||
+ | From version 0.9 onwards, a value /dev/null in this variable will prevent setting the X509_USER_PROXY for the payload and prevents writing a temporary file. | ||
=== Troubleshooting hints === | === Troubleshooting hints === | ||
− | If the GLEXEC_SOURCE_PROXY | + | If gLExec is unable to write to the indicated target location a 201 exit code is returned by gLExec, indicating a user (resolvable) error. |
+ | |||
+ | For more information on the gLExec exit code, please visit: [[Exit codes of gLExec]] | ||
+ | |||
+ | == Behaviour overview == | ||
+ | |||
+ | *C - GLEXEC_CLIENT_CERT (mandatory) | ||
+ | *X - X509_USER_PROXY (mandatory) | ||
+ | *S - GLEXEC_SOURCE_PROXY | ||
+ | *T - GLEXEC_TARGET_PROXY | ||
+ | |||
+ | ''NOTES'': | ||
+ | * For gLExec ≥ 0.8 the writing/setting of the proxy on the payload depends on the ''create_target_proxy'' setting in the glexec.conf file, see man [http://www.nikhef.nl/grid/lcaslcmaps/man/glexec.conf.5.0_8_0.html glexec.conf(5)]. | ||
+ | * For gLExec ≥ 0.9 the writing/setting of the proxy on the payload can also be disabled by specifying the special GLEXEC_TARGET_PROXY value <tt>/dev/null</tt>. | ||
+ | * In the default /tmp/x509up_u<uid>.glexec.XXXXXX the six X are replaced by random letters following mkstemp(). | ||
+ | * The rules should be parsed top to bottom, consecutively. | ||
+ | |||
+ | {| border=1 | ||
+ | ! | ||
+ | ! 0.6.8-3 | ||
+ | ! 0.7.0 logging only | ||
+ | ! 0.7.0 setuid | ||
+ | |- | ||
+ | |'''set''' GLEXEC_SOURCE_PROXY | ||
+ | '''set''' GLEXEC_TARGET_PROXY | ||
+ | |file S copied to file T | ||
+ | var X gets value T | ||
+ | |file S copied to file T | ||
+ | var X gets value T | ||
+ | |file S copied to file T | ||
+ | var X gets value T | ||
+ | |- | ||
+ | |'''set''' GLEXEC_SOURCE_PROXY | ||
+ | '''unset''' GLEXEC_TARGET_PROXY | ||
+ | |file S copied to <mapped homedir>/.proxy/glexec<SUP>*</SUP> | ||
+ | var X gets this filepath as value | ||
+ | |var T gets value S | ||
+ | | ||
+ | |||
+ | var X gets value T | ||
+ | |var T gets value /tmp/x509up_u<uid>.glexec.XXXXXX | ||
+ | file S copied to file T | ||
− | + | var X set to value T | |
+ | |- | ||
+ | |'''unset''' GLEXEC_SOURCE_PROXY | ||
+ | '''set''' GLEXEC_TARGET_PROXY | ||
+ | |var X unchanged<SUP>**</SUP> | ||
+ | var T unused | ||
+ | |var S gets value C | ||
+ | file S copied to file T | ||
− | + | var X gets value T | |
+ | |var S gets value C | ||
+ | file S copied to file T | ||
+ | |||
+ | var X gets value T | ||
+ | |- | ||
+ | |'''unset''' GLEXEC_SOURCE_PROXY | ||
+ | '''unset''' GLEXEC_TARGET_PROXY | ||
+ | |var X unchanged<SUP>**</SUP> | ||
+ | |var S gets value C | ||
+ | var T gets value S | ||
+ | |||
+ | | ||
+ | |||
+ | var X gets value T | ||
+ | |var S gets value C | ||
+ | var T gets value /tmp/x509up_u<uid>.glexec.XXXXXX | ||
+ | |||
+ | file copied to file T | ||
+ | |||
+ | var X gets value T | ||
+ | |} | ||
+ | |||
+ | <SUP>*</SUP> in logging only mode this is unwanted behaviour and therefore changed in version 0.7.0. | ||
− | + | <SUP>**</SUP> this is unwanted behaviour and therefore changed in version 0.7.0. |
Latest revision as of 14:19, 4 April 2012
gLExec uses four environment variables for various reasons. This section is intended to explain what they do in a pragmatic way so that you should be able to work with them.
The environment variables of interest are:
- GLEXEC_CLIENT_CERT
- X509_USER_PROXY
- GLEXEC_SOURCE_PROXY
- GLEXEC_TARGET_PROXY
Note: do NOT forget to export/setenv these variables, so that they are known to gLExec.
GLEXEC_CLIENT_CERT
gLExec uses this (proxy) certificate as input to know who to authorize and to which account a mapping must be done.
In a Multi User Pilot Job (MUPJ) environment this is a proxy with the identity of the payload user.
The GLEXEC_CLIENT_CERT
- Contains an absolute file path to the proxyfile. Note: "/dir/subdir/../subdir2/proxy" is allowed.
- The proxyfile MUST contain a public and private key pair.
- The proxyfile MUST be readable by the user account calling gLExec.
File permissions
The file permissions of the file must meet the following:
- The proxyfile MUST be owned by the account that calls gLExec. In pilot job framework use cases: owned by the pilot user
- The proxyfile MUST NOT exceed the file permissions of 0700 which means readable, writeable or executable explicitly for the user of the file. Groups, others and special bits are not allowed.
Troubleshooting hints for version < 0.6.9
When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with gLExec's input, in particular the absence of a usable GLEXEC_CLIENT_CERT:
glexec[10301]: LCAS authorization request glexec[10301]: lcas.mod-lcas_run_va(): Cannot find certificate chain in pem string(failure) glexec[10301]: lcas.mod-lcas_run_va(): failed
As a result of not being able to present tokens to be authorized, the gLExec tool will exit with a 203 exit code. This indicates that the authorization of the user has failed.
For more information on the gLExec exit code, please visit: Exit codes of gLExec
X509_USER_PROXY (on the calling side)
The X509_USER_PROXY passes through gLExec to the SCAS client or Argus client LCMAPS plug-ins.
In a Multi User Pilot Job (MUPJ) environment this is a proxy with the identity of the Pilot Job Framework Production Manager a.k.a. the Pilot User.
For the interaction with a site central authorization service, such as SCAS, Argus or GUMS, these credentials are used to authenticate at the service. The actual mapping decision is based on the identity of the GLEXEC_CLIENT_CERT proxy. The credentials will be used in the policy decision at the service, but for the SCAS interaction this identity (by its VOMS credentials for instance) must be whitelisted to be able to interact with the service. The X509_USER_PROXY is used to setup the mutually authenticated secure channel to the authorization service.
The X509_USER_PROXY
- Contains an absolute file path to the proxyfile. Note: "/dir/subdir/../subdir2/proxy" is allowed.
- The proxyfile MUST contain a public and private key pair.
- The proxyfile MUST be readable by the user account calling gLExec
Troubleshooting hints: using Argus
When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY.
For LCMAPS c-pep plugin version < 1.0.0 this will incorrectly lead to a gLExec exit code of 202 (misconfigured site error), instead of the correct 203 (authorization failed) exit code. This leads to the following error in the log file:
lcmaps.mod-startPluginManager(): error initializing plugin: /opt/glite/lib64/modules/lcmaps_c_pep.mod lcmaps.mod-lcmaps_init() error: could not start plugin manager Initialization of LCMAPS failed. Please check in syslog or the logfile for LCMAPS (when able to be opened) for more details
For versions ≥ 1.0.0 this behaviour is fixed, gLExec will give a 203 exit code in the absence of a usable X509_USER_PROXY.
For more information on the gLExec exit codes, please visit: Exit codes of gLExec
Troubleshooting hints: using SCAS
When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY:
lcmaps_plugin_scas_client-plugin_run(): No client side credentials for SSL handshake to the SCAS service presented. Not in the configuration file and not in the $X509_USER_{PROXY,CERT,KEY} environment variables. lcmaps_plugin_scas_client-plugin_run(): scas client plugin failed
On the shell the exit code of gLExec will signal a 203. This indicates an authorization failure.
For more information on the gLExec exit codes, please visit: Exit codes of gLExec
GLEXEC_SOURCE_PROXY (optional)
gLExec has the capability of transferring the proxy file from the calling environment to the target user's environment. The resulting file will then be accessible by the target user.
NOTE: in version 0.8 and higher, the transfer of the proxy file and/or the setting of the corresponding variables in the target environment can be disabled in the config file, using the create_target_proxy option.
The GLEXEC_SOURCE_PROXY holds the path to the proxy file that needs to be transferred. The setting is optional. If no GLEXEC_SOURCE_PROXY is present for gLExec to use, the behaviour depends on the gLExec version, see also Behaviour overview:
- for version 0.6.8-3 and older, no proxy file is transferred.
- for version 0.7.0 and higher a default equal to GLEXEC_CLIENT_CERT is used.
When the GLEXEC_SOURCE_PROXY is set:
- It contains an absolute file path to the proxyfile. Note: "/dir/subdir/../subdir2/proxy" is allowed.
- Must be readable by the user account calling gLExec
When the GLEXEC_TARGET_PROXY environment variable is not set, the proxy will be staged in a default location which depends on the gLExec version:
- for version 0.6.8-3 and older: <target users $HOME>/.glexec/proxy.
- for version 0.7.0 and higher:
* in logging only mode no file is copied * in switching/setuid mode /tmp/x509up_u<target users uid>.glexec.XXXXXX where XXXXXX will be substituted by a sequence of 6 random letters.
After a proper copying of the proxy file the X509_USER_PROXY environment variable will be set to point to the new file.
For version 0.7.0 in logging only mode without a GLEXEC_TARGET_PROXY setting, the X509_USER_PROXY environment variable will be set to point to the GLEXEC_SOURCE_PROXY or its default GLEXEC_CLIENT_CERT.
File permissions
The file permissions of the file must meet the following:
- The proxyfile MUST be owned by the account that calls gLExec. In pilot job framework use cases: owned by the pilot user
- The proxyfile MUST NOT exceed the file permissions of 0700 which means readable, writeable or executable explicitly for the user of the file. Groups, others and special bits are not allowed.
Troubleshooting hints
If the GLEXEC_SOURCE_PROXY is not set, gLExec will continue without it or with the default (see GLEXEC_SOURCE_PROXY)
If the GLEXEC_SOURCE_PROXY is set but not valid, for version < 0.7.0:
- If the GLEXEC_SOURCE_PROXY is set to a not-existing file the following message will occur on the commandline:
[gLExec]: The stat syscall returned with an error for either $GLEXEC_CLIENT_CERT or $GLEXEC_SOURCE_PROXY.
- If the GLEXEC_SOURCE_PROXY is set to an unreadable file, or to a file which is readable by more than just the user, the following message will occur on the commandline:
[gLExec]: Expecting a different set of permissions.
In all these cases the gLExec exit code will be set to 201, which indicates a user (resolvable) error.
For more information on the gLExec exit code, please visit: Exit codes of gLExec
GLEXEC_TARGET_PROXY (optional)
The GLEXEC_TARGET_PROXY is the full path of the location where the GLEXEC_SOURCE_PROXY is going to be written. See GLEXEC_SOURCE_PROXY for the behaviour when unset. Note that the default behaviour has changed between versions ≤0.6.8-3 and ≥0.7.0, see also Behaviour overview
The path will be checked by gLExec to be assured that:
- The directory in which the proxy will be written is owned by the target user.
- Is writeable by the target user.
As a result of the proper staging of the proxy file the X509_USER_PROXY environment variable will have the same value as the set GLEXEC_TARGET_PROXY.
From version 0.9 onwards, a value /dev/null in this variable will prevent setting the X509_USER_PROXY for the payload and prevents writing a temporary file.
Troubleshooting hints
If gLExec is unable to write to the indicated target location a 201 exit code is returned by gLExec, indicating a user (resolvable) error.
For more information on the gLExec exit code, please visit: Exit codes of gLExec
Behaviour overview
- C - GLEXEC_CLIENT_CERT (mandatory)
- X - X509_USER_PROXY (mandatory)
- S - GLEXEC_SOURCE_PROXY
- T - GLEXEC_TARGET_PROXY
NOTES:
- For gLExec ≥ 0.8 the writing/setting of the proxy on the payload depends on the create_target_proxy setting in the glexec.conf file, see man glexec.conf(5).
- For gLExec ≥ 0.9 the writing/setting of the proxy on the payload can also be disabled by specifying the special GLEXEC_TARGET_PROXY value /dev/null.
- In the default /tmp/x509up_u<uid>.glexec.XXXXXX the six X are replaced by random letters following mkstemp().
- The rules should be parsed top to bottom, consecutively.
0.6.8-3 | 0.7.0 logging only | 0.7.0 setuid | |
---|---|---|---|
set GLEXEC_SOURCE_PROXY
set GLEXEC_TARGET_PROXY |
file S copied to file T
var X gets value T |
file S copied to file T
var X gets value T |
file S copied to file T
var X gets value T |
set GLEXEC_SOURCE_PROXY
unset GLEXEC_TARGET_PROXY |
file S copied to <mapped homedir>/.proxy/glexec*
var X gets this filepath as value |
var T gets value S
var X gets value T |
var T gets value /tmp/x509up_u<uid>.glexec.XXXXXX
file S copied to file T var X set to value T |
unset GLEXEC_SOURCE_PROXY
set GLEXEC_TARGET_PROXY |
var X unchanged**
var T unused |
var S gets value C
file S copied to file T var X gets value T |
var S gets value C
file S copied to file T var X gets value T |
unset GLEXEC_SOURCE_PROXY
unset GLEXEC_TARGET_PROXY |
var X unchanged** | var S gets value C
var T gets value S
var X gets value T |
var S gets value C
var T gets value /tmp/x509up_u<uid>.glexec.XXXXXX file copied to file T var X gets value T |
* in logging only mode this is unwanted behaviour and therefore changed in version 0.7.0.
** this is unwanted behaviour and therefore changed in version 0.7.0.