Hi Nick, Thanks for the suggestions, blocking requests at the reverse proxy side sounds good for now, I use Apache as a reverse proxy, and the log shows a few paths as below when I press ctrl+alt+shift while in a rdp connection.
/api/session/data/quickconnect/activeConnections /api/session/data/mysql-shared/activeConnections /api/session/data/mysql/activeConnections When I upload a file successfully I get the below path. /api/session/tunnels/bsdfd339d-6178-3851-a477-afhdfg721c7f3/streams/1/image.png?token=B1fghfghfghfgh........ This looks like a general API path, so not sure. I also tried setting below in guacamole.properties file but didn't help. *enable-drive: falseenable-printing:falsedisable-upload:true* On Sat, Sep 16, 2023 at 7:21 PM Nick Couchman <[email protected]> wrote: > On Fri, Sep 15, 2023 at 6:35 AM khmadhu <[email protected]> wrote: > >> Hi, >> >> I am looking for an option to disable ALL file transfers like shared >> drives / SFTP, for all default users in a connection group, even though if >> user have the option to create connections, the file transfer options must >> be disabled, is that possible?, how can we achieve this?. >> > > There's no configuration option you can set to disable this globally - > basically, if you give users the ability to create connections, you're > giving them administrative privileges to the system, and that includes all > of the capabilities of any of the connections, including file transfer. If > you don't want people to be able to create connections with file transfer > capability, you probably shouldn't give them the ability to create > connections - there may be other things they can do (saving credentials, > for example) that you may not want done. > > I can think of a couple of theoretical ways to accomplish this, but > without having tried either of them, I don't know exactly how they would > work: > * Run guacd in a container or chroot jail, where the user account running > guacd does not have write access to any part of the filesystem, including > /tmp (normally world-writable). > * Run guacd inside a filesystem that has quotas enabled and set, and > restrict the quota for the user account to essentially nothing. This would > also have to factor in places that are normally world-writable, like /tmp, > /var/tmp, etc. > * Use a reverse proxy or web application firewall to restrict access to > the REST API endpoints that handle file transfers. I don't know what these > are off the top of my head, but, since everything in Guacamole is done via > the REST API, there is an API endpoint responsible for it, and it should be > possible to block it, either in your proxy configuration (Nginx, Apache > httpd, Traefik, etc.) or with a WAF. > > -Nick > > -- Thanks & Regards Madhusudan 9844117475 Bengaluru-12.
