[GitHub] [guacamole-client] mike-jumper commented on a change in pull request #469: GUACAMOLE-890: Security: Allow image to run as non-root user

Thu, 30 Jan 2020 10:08:18 -0800 

mike-jumper commented on a change in pull request #469: GUACAMOLE-890: 
Security: Allow image to run as non-root user
URL: https://github.com/apache/guacamole-client/pull/469#discussion_r373107655
 
 

 ##########
 File path: Dockerfile
 ##########
 @@ -56,6 +56,14 @@ WORKDIR /opt/guacamole
 # Copy artifacts from builder image into this image
 COPY --from=builder /opt/guacamole/ .
 
+# Turn on the Remote IP Valve
+RUN sed -i 's+^\(      </Host>\)+        <Valve 
className="org.apache.catalina.valves.RemoteIpValve" />\n\1+' 
/usr/local/tomcat/conf/server.xml
+
+# Allow image to run as non-root user
+RUN sed -i 's/unpackWARs="true"/unpackWARs="false"/' 
/usr/local/tomcat/conf/server.xml
+RUN chmod 777 /usr/local/tomcat/temp
 
 Review comment:
   There's definitely a difference in purpose between `/tmp` (the system-wide 
temp directory) and `CATALINA_TMPDIR` (the temp directory dedicated to Tomcat). 
The former needs to be world-writable, yes, but I don't know what the security 
implications would be of making the Tomcat-specific temp directory 
world-writable.
   
   The fact that:
   
   * A system-wide, generic temp directory isn't already used for 
`CATALINA_TMPDIR`
   * The Tomcat-specific directory isn't world-writable by default, but rather 
locked down for Tomcat's use.
   
   indicates to me that this change should be made with caution. I think we 
would need to firmly establish that this directory is safe to be world-writable.
   
   One alternative could be to create a Tomcat-specific subdirectory within 
`/tmp` or `/var/tmp` and point `CATALINA_TMPDIR` to that. As long as that 
subdirectory has the same permissions as the default `CATALINA_TMPDIR` normally 
would, this should be safe. Pointing `CATALINA_TMPDIR` directly to `/tmp` 
itself would not necessarily be safe unless it can be established that what 
you're already doing (`chmod 777`) is safe.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to