necouchman commented on a change in pull request #469: GUACAMOLE-890: Security:
Allow image to run as non-root user
URL: https://github.com/apache/guacamole-client/pull/469#discussion_r372911057
##########
File path: guacamole-docker/bin/start.sh
##########
@@ -583,8 +583,11 @@ END
start_guacamole() {
# Install webapp
- rm -Rf /usr/local/tomcat/webapps/${WEBAPP_CONTEXT:-guacamole}
- ln -sf /opt/guacamole/guacamole.war
/usr/local/tomcat/webapps/${WEBAPP_CONTEXT:-guacamole}.war
+ if [ -n "$WEBAPP_CONTEXT" ]
+ then
+ rm /usr/local/tomcat/webapps/guacamole.war
+ ln -sf /opt/guacamole/guacamole.war
/usr/local/tomcat/webapps/${WEBAPP_CONTEXT}.war
+ fi
Review comment:
I'm not sure I understand how this both resolves the non-root user issue and
also maintains the `WEBAPP_CONTEXT` capability? It seems like, if linking at
start time rather than build time causes non-root startup to fail, then anyone
who is using `WEBAPP_CONTEXT` rather than the default `guacamole.war` is going
to still have an issue running under a non-root account, correct??
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
