On Tue, May 17, 2022 at 9:44 PM Yukiya Hayashi <[email protected]> wrote:
> Hello everyone, I have a question. I have listed this question in the > following Jira and was directed to ask this ML. > https://issues.apache.org/jira/browse/GUACAMOLE-1609 > > ---- > > *Background* > > I am running Guacamole with Docker and using the "device redirection" > feature on a Windows Server. > After upgrading Guacamole from version 1.1.0 to 1.4.0, the "device > redirection" function no longer works. > > *What I investigated* > I have isolated the problem and found that there was no problem up to > version 1.2.0 and the problem started with version 1.3.0. The cause appears > to be that the user used in the container was changed from root to guacd > starting with version 1.3.0. The guacd process seems to create a directory > with the name of the target host in / in order to use "device redirection". > Up to version 1.2.0, the directory was created without any problem because > it was started as root user. However, since version 1.3.0, the "device > redirection" does not seem to work because the directory cannot be created > under / for the guacd user. > > *Possible solutions* > I have the following two ideas, and I would like you to consider the > latter approach if possible. > > - Make guacd startup user as root as it was up to version 1.2.0. > - Change the path for the guacd process to create the "device > redirection" directory to something appropriate (e.g. /tmp/ would be > appropriate). > > Yes, with the change to a non-root user, you will need to make sure that your connection configurations specify a drive redirection location where the user running guacd has access to the folder, and, if you want users to be able to create folders and write files, the user will need write access. I would not make guacd start up as the root user - we have very deliberately changed the configuration such that guacd is more secure when running under a non-root account. I also would not use /tmp - things have a tendency to get deleted out of /tmp. While I do not generally run guacd in Docker, the systems where I run guacd I have a dedicated storage location for the redirected folders, and I make sure the guacd user has read and write access. The same could be accomplished within Docker by passing through a folder/volume to the Docker container that the guacd user has access to. -Nick >
