[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17026031#comment-17026031
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 4:51 PM:
----------------------------------------------------------
OK, I made nice progress.
As 65534 user has {{/nonexistent}} as {{$HOME}} directory in the container, I
gave him another one so that he can do deployment, as required by
[start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh]
script.
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{{color:#DE350B}ln: failed to create symbolic link
'/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}}
Still fails, but then the error is rather relevant, a permission one.
It's the very last step before catalina starts.
Perhaps we could then find a fix, or at least a workaround.
was (Author: jotam):
OK, I made nice progress.
As 65534 user has {{/nonexistent}} as {{$HOME}} directory, I gave him another
one so that he can do deployment, as required by
[start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh]
script.
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{{color:#DE350B}ln: failed to create symbolic link
'/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}}
Still fails, but then the error is rather relevant, a permission one.
It's the very last step before catalina starts.
Perhaps we could then find a fix, or at least a workaround.
> Guacamole/Guacd Docker Process Privilege Drop
> ---------------------------------------------
>
> Key: GUACAMOLE-890
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-890
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-docker
> Reporter: Anthony Boccia
> Priority: Minor
> Labels: docker, security
>
> Hello,
> I noticed after deploying Guacamole in docker that the processes all run as
> the root user. Are there any plans to add support for specifying a user for
> the processes to drop privs to and run as instead of root? I am currently
> doing this rebuilding the containers for guacamole and guacd adding in my own
> user and using docker compose to exec all processes triggered within the
> container as that user. I feel like the option to specify this should be done
> upstream.
> Thank You
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
