[ https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17026031#comment-17026031 ]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 4:51 PM: ---------------------------------------------------------- OK, I made nice progress. As 65534 user has {{/nonexistent}} as {{$HOME}} directory in the container, I gave him another one so that he can do deployment, as required by [start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh] script. {{# docker run --name some-guacamole --link some-guacd:guacd -e MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole -e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080 guacamole/guacamole:1.1.0-RC1}} {{{color:#DE350B}ln: failed to create symbolic link '/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}} Still fails, but then the error is rather relevant, a permission one. It's the very last step before catalina starts. Perhaps we could then find a fix, or at least a workaround. was (Author: jotam): OK, I made nice progress. As 65534 user has {{/nonexistent}} as {{$HOME}} directory, I gave him another one so that he can do deployment, as required by [start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh] script. {{# docker run --name some-guacamole --link some-guacd:guacd -e MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole -e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080 guacamole/guacamole:1.1.0-RC1}} {{{color:#DE350B}ln: failed to create symbolic link '/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}} Still fails, but then the error is rather relevant, a permission one. It's the very last step before catalina starts. Perhaps we could then find a fix, or at least a workaround. > Guacamole/Guacd Docker Process Privilege Drop > --------------------------------------------- > > Key: GUACAMOLE-890 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-890 > Project: Guacamole > Issue Type: Improvement > Components: guacamole-docker > Reporter: Anthony Boccia > Priority: Minor > Labels: docker, security > > Hello, > I noticed after deploying Guacamole in docker that the processes all run as > the root user. Are there any plans to add support for specifying a user for > the processes to drop privs to and run as instead of root? I am currently > doing this rebuilding the containers for guacamole and guacd adding in my own > user and using docker compose to exec all processes triggered within the > container as that user. I feel like the option to specify this should be done > upstream. > Thank You -- This message was sent by Atlassian Jira (v8.3.4#803005)