RE: Permissions

[Sean Hulbert]

Hello Lee,

 

My words are correct in the process flow.

 

User drags a file from their desktop they are sitting at (physically) the file 
uploads to a directory on the guacamole server /Software/${GUAC_USERNAME}, once 
the upload has completed, the user would be able to go to their Guacamole 
shared drive and drag that file in to the virtual environment.

 

Ok I want to prevent the user from accessing the file until it has been scanned 
by ClamAv installed on the Guacamole server.

I have identified the steam and the code that is initiated when this event 
occurs. So now I am writing a program that will run on the Guacamole server 
locking the file until it has been scanned, once done its released to the user. 

 

I am almost done with the program so far manual testing is working. 

 

Thank You

Sean Hulbert

 

From: Lee Doughty [mailto:l...@virginiacyberrange.org] 
Sent: Thursday, August 25, 2022 10:32 AM
To: user@guacamole.apache.org
Subject: Re: Permissions

 

Sean, I think there is a mixup on the words, or your intention is unclear.

 

You would like to scan the file from the target server before the user has 
selected the file to upload?

 

The order of operations in this case must be:

1) User select the file by drag & drop to the VM

2) Upload occurs

3) Target server receives file and is able to scan it

 

Any other order, scanning from the target side, is simply impossible -- the 
server can't scan a file it does not have, and Guacamole cannot upload an 
undefined file.

 

If you're talking about trying to intercept the file after upload, before the 
user can execute/see it, that's on the OS/target side, outside of Guacamole's 
reach... Guacamole is simply uploading the file over the defined protocol, and 
I'm not aware of a protocol that allows an uploader to force the recipient to 
begin an AV scan after upload.

 

-Lee

 

 

On Wed, Aug 24, 2022 at 8:59 PM Sean Hulbert 
<shulb...@securitycentric.net.invalid 
<mailto:shulb...@securitycentric.net.invalid> > wrote:

Ok figured it out, permissions ok, however if you have ClamAV running and 
scanning Ondemand enabled it will automatically fail the upload.

 

So now my question is this; is there a way to scan uploaded files after they 
completed uploading to the GUAC_UASERNAME directory before users drag them in 
to the environment?

 

 

 

Thank You

Sean Hulbert

 

 

From: Sean Hulbert [mailto:shulb...@securitycentric.net.INVALID 
<mailto:shulb...@securitycentric.net.INVALID> ] 
Sent: Wednesday, August 24, 2022 5:42 PM
To: user@guacamole.apache.org <mailto:user@guacamole.apache.org> 
Subject: Permissions

 

Hello

 

Is there any reason why the GUAC_USERNAME for the file uploads permission cant 
be set to write only when dragging and dropping files in to the environment?

 

 

 

Thank You

Sean Hulbert