mike-jumper commented on a change in pull request #694:
URL: https://github.com/apache/guacamole-client/pull/694#discussion_r797211243
##########
File path: Dockerfile
##########
@@ -62,6 +62,9 @@ ARG GID=1001
RUN groupadd --gid $GID guacamole
RUN useradd --system --create-home --shell /usr/sbin/nologin --uid $UID --gid
$GID guacamole
+# allow guacamole user to import certificates into default java keystore file
cacerts
+run chown guacamole /usr/local/openjdk-8/jre/lib/security/cacerts && chmod +w
/usr/local/openjdk-8/jre/lib/security/cacerts
Review comment:
I don't think this should be done. Should something go awry in the web
application, this would extend the malicious potential of that to installing
certificates.
The limited-privilege user that runs the webapp shouldn't be able to alter
certs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
