gpclient rootless with capabilites: /var/run/gpclient.lock: Permission denied

[t-nil]

GlobalProtect-openconnect/apps/gpclient/src/connect.rs

Line 416 in a641453

fs::write(GP_CLIENT_LOCK_FILE, pid.to_string()).unwrap();

This fails when running gpclient rootless with capabilites (`sudo capsh --caps='cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep' --user=nobody --keep=1 --addamb=cap_net_admin -- -c 'gpclient connect […] --csd-wrapper /usr/lib/openconnect/hipreport.sh --user […]'), because only root can write in that directory. I think a fix would be to use $XDG_RUNTIME_DIR (or, better yet, /tmp/gpclient_.lock or something, since $XDG_RUNTIME_DIR only exists if you use a user who is logged in).

Would such a change be acceptable?

In other notes, why does gpclient lock in the first place? Is ist the goal to only launch one application per user?

[yuezk]

I think the GP_CLIENT_LOCK_FILE can be changed to any other directory. I added the lock file mainly because I want to be able to implement the gpclient disconnect command, in which I will find the lock file and send a terminate signal to it. But I didn't finish it due to some other problems.