Following up on this as I am still experiencing this issue even on 1.6.0-RC.
I had more time to dig into it and I am sure that the problem is caused by how the guacd user is creating directories (and files) in the recording directory. It only sets the permissions for user and group, without any permissions for others (which when running the docker containers, the guacd user and group is 1000:1000 and the guacamole user and group is 1001:1001, and thus no overlap). Therefore the directory that is created by the guacd user from the guacamole-server container is not able to be read by the guacamole user from the guacamole-client container. Also, the recording files that are created don’t have overlapping permissions either. One solution would be to update the permissions of all the “mkdir()”s and “open()”s in the src/libguac/recording.c file and the src/terminal/typescript.c file. The line that would need to be updated for directory permissions can be found here: https://github.com/apache/guacamole-server/blob/b52692933f5e1b18e27b0236c0e2cb7b028a8a84/src/libguac/recording.c#L153 This would work but may not be the best permissions set for security. Another option would be to update the UID and GID of one of the docker containers so they have the same user and group permissions, but this would have other implications for those that already have recordings and other files with a certain UID/GID and would likely require an “upgrade” process that would chown the files to the correct UID/GID. Another option, and personally I think the least obtrusive solution, would be to update the guacamole-client Dockerfile to also add group 1000 to the guacamole user so that it has permissions for 1001 (for regular operations) and 1000 (for reading files created by guacd). I was temporarily able to workaround the problem by using “group_add: 1000” to my docker compose file under the guacamole-client container service so that the guacamole-client container user (guacamole, 1001) is also apart of the group 1000 so that it falls under the group that all the files and directories are created under (group guacd, 1000). This is definitely not a proper solution to the problem. I’m unsure how other people have solved this problem in their docker setups but this works well for me, despite being a workaround and definitely not a long-term solution. Thanks! -Nathaniel Belles > On Oct 5, 2024, at 18:57, Nathaniel Belles <[email protected]> wrote: > > Hey all, > > I'm testing staging/1.6.0 and seem to be having an issue with recording > permissions where I am unable to see session recordings in the browser > without changing the permissions of every session folder and session file > created by guacamole-server. > > I have a recording folder that is visible to both guacamole-server and > guacamole-client with 777 permissions. When opening a session, I see > confirmation that a file was opened for recording in the logs for > guacamole-server. I am manually able to traverse the files outside of both > docker containers and see that the files from the session were created but > the session folder is created with 750 permissions and the recording files > are created with 640 permissions. If I do a simple `chmod -R o+rx > <session-id>` on the session recording folder to add back read execute > permission for "others", it immediately resolves the issue and I can see the > recordings in the browser again. If I look at the user id for the > guacamole-server docker container it is 1000 and the user id for the > guacamole-client container is 1001. I looked at the code differences between > staging/1.6.0 and 1.5.5 and it seems that some changes were made to the file > permissions for "others" when creating the folder and the recordings which I > suspect might be where this issue originates from. Would love to hear if any > others are experiencing this issue. Thanks! > > -Nathaniel Belles >
