sirux88 commented on a change in pull request #694:
URL: https://github.com/apache/guacamole-client/pull/694#discussion_r797332871
##########
File path: Dockerfile
##########
@@ -62,6 +62,9 @@ ARG GID=1001
RUN groupadd --gid $GID guacamole
RUN useradd --system --create-home --shell /usr/sbin/nologin --uid $UID --gid
$GID guacamole
+# allow guacamole user to import certificates into default java keystore file
cacerts
+run chown guacamole /usr/local/openjdk-8/jre/lib/security/cacerts && chmod +w
/usr/local/openjdk-8/jre/lib/security/cacerts
Review comment:
i don't like that solution either because of the same security reasons
you mentioned.
To sum up my finding about java and ceritifcates:
- Only a keystorefile can be used as a certificate source within java.
- You can't load a single cert file into you application
- Importing into default keystore file for unprivileged users is not
possible by default
A solution that only affects the container and provides sufficient security
is not possible as far as I can assume:
- You can't run multiple CMD/ENTRYPOINT-commands within a dockerfile with
different users
- Importing certifcates with RUN-Commands is nonsense since this would be
done while building the image (and not starting a container)
A possible solution would be:
- create a new keystore file with all the necessary certs
- make the file read only after creating and importing
- merge it on the fly within the application with the system wide keystore
(maybe with [https://github.com/1and1/CompositeJKS](url))
But since this topic only affects containers and the approach above requires
some changes to the application itself I don't know if it should be done like
that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
