Re: Same shared Drive redirected to all users : Privacy and Security breach
On Sun, Jan 7, 2018 at 10:09 AM, Amarjeet Singhwrote: > Nick, Requirement is not to save username and password anywhere. It should > be logged in by the user itself. > > Yes, I understand and agree. > That is causing issue to create shared drive with username or > ${GUAC_USERNAME} > I don't think so. The ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens come from the username and password that the user logs into *Guacamole* with, not the username/password for the connection. As an example, if let's say you have Guacamole configured to use LDAP authentication, and you are storing your connections in JDBC. Guacamole LDAP is configured to point to Active Directory, and you have a user, test_user, and the LDAP/AD password for that user is DoNotCopyMe. The user is connecting to a Windows server, via RDP, joined to the same AD domain where LDAP is configured, server1. Here's how the flow would work: - User logs into Guacamole at https://guacamole.example.com/guacamole, with username test_user and password DoNotCopyMe - Guacamole, upon successful login, registers ${GUAC_USERNAME} as test_user and ${GUAC_PASSWORD} as DoNotCopyMe. - The user starts the connection to server1, which has the username parameter set to ${GUAC_USERNAME}, the password parameter set to ${GUAC_PASSWORD}, and the Drive Path parameter set to /tmp/${GUAC_USERNAME}. - The connection automatically logs into the server because the Guacamole username and password is passed through to the RDP connection through the tokens. - The connection maps the /tmp/test_user directory through to the RDP connection by resolving the username token. > > ${GUAC_USERNAME} works if Single sign on is there i.e. username and > password is provided. it fails if username and password is not there. > > Well, that depends on what you mean by "Single sign on" and "is [not] there." The actual username and password do not have to be saved in the connection in order to be made available; however, the user has to log in to be logging in to Guacamole. So, if you're using some sort of anonymous Guacamole authentication (the deprecated noauth extension, for example), then the GUAC_USERNAME and GUAC_PASSWORD tokens will not be available. If you're using a SSO login method (OpenID, SAML, CAS without ClearPass), then the GUAC_USERNAME token will be available while the GUAC_PASSWORD token may or may not, depending on your configuration. If you're using LDAP or JDBC, then both the GUAC_USERNAME and GUAC_PASSWORD token should be available. How are your users authenticating to Guacamole? -Nick
Re: Same shared Drive redirected to all users : Privacy and Security breach
Nick, Requirement is not to save username and password anywhere. It should be logged in by the user itself. That is causing issue to create shared drive with username or ${GUAC_USERNAME} ${GUAC_USERNAME} works if Single sign on is there i.e. username and password is provided. it fails if username and password is not there. On Sun, Jan 7, 2018 at 8:29 PM, Nick Couchmanwrote: > > On Sun, Jan 7, 2018 at 9:48 AM Amarjeet Singh > wrote: > >> If I don't pass username and password then ${GUAC_USERNAME} fails to >> resolve [ *Scenario : I want users to enter username and password on >> Windows screen* ]. It create directory with it's own name i.e. >> ${GUAC_USERNAME} >> >> >> So, Creating filesystem solved this issue and It created directories of >> users at runtime using "*enable-create-drive*" parameter. >> >> Now, I need to look into the following to achieve quotas per sub-volumes >> or each user's directory. :- >> >> ZFS or btrfs, for example, allow for sub-volumes and quotas per-volume, >>> per-user, and/or per-group >>> >> >> Using SFTP is a good idea though but in case I want the user to enter >> *username >> and password* on the Windows screen then It would fail. >> >> *Can't save username and password on the user-mapping.xml file for >> security purposes.* >> > > I would not use the user-mapping.xml file for the size of production > environment that you're using. First, I'm not certain that the tokens > (${GUAC_USERNAME} and ${GUAC_PASSWORD}) actually work with the simple/basic > file authentication mechanism. Mike can verify this. Second, storing > usernames/passwords in user-mapping.xml for 500 users seems like a bad idea. > > If you're considering scaling to this level, I suggest using one or more > of the extension modules for authentication - at least the JDBC module, and > perhaps that in combination with something, like LDAP. If you're using > active directory for the Windows servers you're connecting to this makes a > lot of sense, because the username/password used to log in to Guacamole > will match to the servers you're logging into. If you're not, it still > might make sense to track users in some sort of database - either JDBC or > LDAP - as this will provide continuity across the environment. > > -Nick >
Re: Same shared Drive redirected to all users : Privacy and Security breach
On Sun, Jan 7, 2018 at 9:48 AM Amarjeet Singhwrote: > If I don't pass username and password then ${GUAC_USERNAME} fails to > resolve [ *Scenario : I want users to enter username and password on > Windows screen* ]. It create directory with it's own name i.e. > ${GUAC_USERNAME} > > > So, Creating filesystem solved this issue and It created directories of > users at runtime using "*enable-create-drive*" parameter. > > Now, I need to look into the following to achieve quotas per sub-volumes > or each user's directory. :- > > ZFS or btrfs, for example, allow for sub-volumes and quotas per-volume, >> per-user, and/or per-group >> > > Using SFTP is a good idea though but in case I want the user to enter > *username > and password* on the Windows screen then It would fail. > > *Can't save username and password on the user-mapping.xml file for > security purposes.* > I would not use the user-mapping.xml file for the size of production environment that you're using. First, I'm not certain that the tokens (${GUAC_USERNAME} and ${GUAC_PASSWORD}) actually work with the simple/basic file authentication mechanism. Mike can verify this. Second, storing usernames/passwords in user-mapping.xml for 500 users seems like a bad idea. If you're considering scaling to this level, I suggest using one or more of the extension modules for authentication - at least the JDBC module, and perhaps that in combination with something, like LDAP. If you're using active directory for the Windows servers you're connecting to this makes a lot of sense, because the username/password used to log in to Guacamole will match to the servers you're logging into. If you're not, it still might make sense to track users in some sort of database - either JDBC or LDAP - as this will provide continuity across the environment. -Nick
Re: Same shared Drive redirected to all users : Privacy and Security breach
Hi Mike, Use separate filesystems to hold the drive contents, not the root filesystem of your Guacamole server. If I have 500 users then I can't have separate file system for each one of them on the same machine where guacamole server runs [ centos 7 ] . You can use the "${GUAC_USERNAME}" token cause a parameter to vary by > the username, like the "drive-path" parameter. Together with the > "create-drive-path" parameter, this allows you to dynamically provide > separate drives on a per-user basis. where exactly I have to do ? Where do I have to change this or add ${GUAC_USERNAME}. Is it in Javascript or Java. How can I control the size limit for each user ? Can I define volume size for each user ? @Mike : Thanks for the quick response. I appreciate that. I read your side note as well. I won't update the fix version of any bug reported by me ? Really sorry for that mess. Thanks and Regards, Amarjeet Singh On Sun, Jan 7, 2018 at 12:50 AM, Mike Jumperwrote: > On Sat, Jan 6, 2018 at 10:58 AM, Amarjeet Singh > wrote: > > > > Hi Team, > > > > I have redirected shared drive on Windows server 2012 R 2. I have 5 > users in that machine. > > > > I have mapped this drive to one of the folder of Centos 7 where > guacamole server runs. > > > > Now, all the users are getting the same shared drive folder. > > > > Sounds OK so far. > > > > > It means one user can access files of other users. It is very dangerous. > > > > It is breach of security and privacy as well. > > > > Is it any configuration I am missing ? > > > > Guacamole will only do what you tell it to do. If you configure the > connection for each user to use the same drive directory, then each > user will have equivalent access to the contents of that directory. If > this is not what you want, then you need to tell Guacamole to do > something else. > > The mechanism most users use to ensure that each user is given a > different drive directory are parameter tokens: > > http://guacamole.apache.org/doc/gug/configuring-guacamole. > html#parameter-tokens > > You can use the "${GUAC_USERNAME}" token cause a parameter to vary by > the username, like the "drive-path" parameter. Together with the > "create-drive-path" parameter, this allows you to dynamically provide > separate drives on a per-user basis. > > Alternatively, you can write an extension for Guacamole which derives > connection parameter data however you like, including populating the > "drive-path" parameter dynamically based on the user, some unique > value generated for that session, etc. > > > > > Data of the user should be deleted once the session is disconnected > otherwise it will occupy whole lot of space in the server [ where > guacamole server runs ]. > > > > No, part of the point of Guacamole's virtual drive is that the data > persists: > > http://guacamole.apache.org/doc/gug/using-guacamole.html#rdp-virtual-drive > > If you want data to be deleted after a user disconnects, you will need > to implement that functionality outside of Guacamole or through an > extension, though I really wouldn't recommend this. The Principle of > Least Surprise being what it is, I don't imagine users being happy > when their uploaded files mystically disappear. > > > It will definitely cause the server down. > > > > No. If you provide your users with storage space, it does not > immediately follow that your server will go down. > > If you intend to provide your users with storage, such as that > provided by Guacamole's virtual drive, and you are concerned that they > may use up disk space, you will need to architect that storage such > that this is not an issue. Use separate filesystems to hold the drive > contents, not the root filesystem of your Guacamole server. > > > > > Every user 's shared drive should not be same. > > > > If you do not want the shared drive to be the same, it must be > configured to be different. See above. > > > And we cannot assign 50 user different folder location every time. > > > > You can, though for 5 users I'd recommend 5, not 50. You can do this > automatically, through the "${GUAC_USERNAME}" token or through writing > your own extension to handle this, or manually, through creating 5 > separate connections. I would recommend the automatic route. > > - Mike >
Re: Same shared Drive redirected to all users : Privacy and Security breach
On Sat, Jan 6, 2018 at 10:58 AM, Amarjeet Singhwrote: > > Hi Team, > > I have redirected shared drive on Windows server 2012 R 2. I have 5 users in > that machine. > > I have mapped this drive to one of the folder of Centos 7 where guacamole > server runs. > > Now, all the users are getting the same shared drive folder. > Sounds OK so far. > > It means one user can access files of other users. It is very dangerous. > > It is breach of security and privacy as well. > > Is it any configuration I am missing ? > Guacamole will only do what you tell it to do. If you configure the connection for each user to use the same drive directory, then each user will have equivalent access to the contents of that directory. If this is not what you want, then you need to tell Guacamole to do something else. The mechanism most users use to ensure that each user is given a different drive directory are parameter tokens: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens You can use the "${GUAC_USERNAME}" token cause a parameter to vary by the username, like the "drive-path" parameter. Together with the "create-drive-path" parameter, this allows you to dynamically provide separate drives on a per-user basis. Alternatively, you can write an extension for Guacamole which derives connection parameter data however you like, including populating the "drive-path" parameter dynamically based on the user, some unique value generated for that session, etc. > > Data of the user should be deleted once the session is disconnected otherwise > it will occupy whole lot of space in the server [ where guacamole server > runs ]. > No, part of the point of Guacamole's virtual drive is that the data persists: http://guacamole.apache.org/doc/gug/using-guacamole.html#rdp-virtual-drive If you want data to be deleted after a user disconnects, you will need to implement that functionality outside of Guacamole or through an extension, though I really wouldn't recommend this. The Principle of Least Surprise being what it is, I don't imagine users being happy when their uploaded files mystically disappear. > It will definitely cause the server down. > No. If you provide your users with storage space, it does not immediately follow that your server will go down. If you intend to provide your users with storage, such as that provided by Guacamole's virtual drive, and you are concerned that they may use up disk space, you will need to architect that storage such that this is not an issue. Use separate filesystems to hold the drive contents, not the root filesystem of your Guacamole server. > > Every user 's shared drive should not be same. > If you do not want the shared drive to be the same, it must be configured to be different. See above. > And we cannot assign 50 user different folder location every time. > You can, though for 5 users I'd recommend 5, not 50. You can do this automatically, through the "${GUAC_USERNAME}" token or through writing your own extension to handle this, or manually, through creating 5 separate connections. I would recommend the automatic route. - Mike