necouchman commented on a change in pull request #469: GUACAMOLE-890: Security: Allow image to run as non-root user URL: https://github.com/apache/guacamole-client/pull/469#discussion_r392622448
########## File path: guacamole-docker/bin/start.sh ########## @@ -30,7 +30,7 @@ GUACAMOLE_HOME_TEMPLATE="$GUACAMOLE_HOME" -GUACAMOLE_HOME="$HOME/.guacamole" +GUACAMOLE_HOME="/tmp/guacamole" Review comment: My issue with the directory being placed in /tmp is not the accessibility of the directory to other users/processes, it's the fact that a configuration directory (or webapp deployment directory) is in /tmp - this doesn't make sense to me. Configuration directories should be in configuration directory locations - not in any place that happens to work because we have write access to it :-). I tend to agree with @manolan1, here - Guacamole can't be the only piece of software fighting this issue. Is what you've done here a commonly-implemented solution among other Tomcat + Docker web applications that run as non-root users? I'm willing to defer on this one if @mike-jumper or any of the other project members think we should just move forward, but this still just feels a little off to me. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
