On Sat, May 10, 2025 at 5:20 PM Nathaniel Belles <[email protected]> wrote:
> Following up on this as I am still experiencing this issue even on > 1.6.0-RC. > > I had more time to dig into it and I am sure that the problem is caused by > how the guacd user is creating directories (and files) in the recording > directory. It only sets the permissions for user and group, without any > permissions for others (which when running the docker containers, the guacd > user and group is 1000:1000 and the guacamole user and group is 1001:1001, > and thus no overlap). Therefore the directory that is created by the guacd > user from the guacamole-server container is not able to be read by the > guacamole user from the guacamole-client container. Also, the recording > files that are created don’t have overlapping permissions either. > > One solution would be to update the permissions of all the “mkdir()”s and > “open()”s in the src/libguac/recording.c file and the > src/terminal/typescript.c file. The line that would need to be updated for > directory permissions can be found here: > > > https://github.com/apache/guacamole-server/blob/b52692933f5e1b18e27b0236c0e2cb7b028a8a84/src/libguac/recording.c#L153 > > This would work but may not be the best permissions set for security. > Another option would be to update the UID and GID of one of the docker > containers so they have the same user and group permissions, but this would > have other implications for those that already have recordings and other > files with a certain UID/GID and would likely require an “upgrade” process > that would chown the files to the correct UID/GID. Another option, and > personally I think the least obtrusive solution, would be to update the > guacamole-client Dockerfile to also add group 1000 to the guacamole user so > that it has permissions for 1001 (for regular operations) and 1000 (for > reading files created by guacd). > > I was temporarily able to workaround the problem by using “group_add: > 1000” to my docker compose file under the guacamole-client container > service so that the guacamole-client container user (guacamole, 1001) is > also apart of the group 1000 so that it falls under the group that all the > files and directories are created under (group guacd, 1000). This is > definitely not a proper solution to the problem. I’m unsure how other > people have solved this problem in their docker setups but this works well > for me, despite being a workaround and definitely not a long-term solution. > On the contrary, I think this is exactly the solution to the problem - maybe not adding it to the Dockerfile, rather, making sure that whatever user is represented by UID 1001 is a member of group 1000. Other possible solutions are: * On the volume that holds the recordings, set user ownership to the guacd user (1000) so that it can write files to the folder, and then set group ownership to the guacamole user (1001) so that it can read from the folder. * On the volume that holds the recordings, if the filesystem supports POSIX ACLS, set ownership to the guacd user/group, and then add ACL entries for the guacamole user/group: setfacl -R -m u:1001:r-X -m g:1001:r-X -m d:u:1001:r-X -m d:g:1001:r-X -Nick
