Guacamole pen-test

2023-11-14 Thread Maciej Konigsman 
Hi,

My organization pen-tested a Guacamole instance (version 1.5.3).
One of the findings is related to "OWASP – Broken Access Control"
http://www.owasp.org/index.php/Broken_Access_Control

When the user group is configured without any permissions the user should
be able to execute connections without rights to view connections
parameters.
When I open the following paths being just part of a group without
permissions I can view the connection details. I'm not able to modify it.
Is it a bug or feature?
/#/manage/mysql/connectionGroups/1
/#/manage/mysql/connections/
/#/manage/mysql/connectionGroups/

Guacamole 1.5.3
Running as serves on Ubuntu 22.04.
SAML integration with Azure AD

Re: Health check uri

2023-11-14 Thread Antoine Besnier 
 HEALTHCHECK  --timeout=3s CMD wget --no-verbose --tries=1 --spider 
http://localhost:8080 || exit 1

should do it. If either guacd or the client are not properly loaded, wget will 
return a server error, so it would report a bad health check.
CheersAntoine


Le mardi 14 novembre 2023 à 08:22:46 UTC+1, miao  a écrit 
:  
 
 Hi ,
  Is there some health check uri for guacamole and guacd when run it as docker 
container? 
  Thx


Regards

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Health check uri

2023-11-14 Thread Antoine Besnier 
 Forgot to mention this command needs to be baked in the image, it cannot be 
added when starting the container.You can add a healthcheck when starting the 
container (see Docker run reference | Docker Docs) or in docker compose 
(Compose file version 3 reference | Docker Docs).
CheersAntoine
Le mardi 14 novembre 2023 à 10:57:05 UTC+1, Antoine Besnier 
 a écrit :  
 
  HEALTHCHECK  --timeout=3s CMD wget --no-verbose --tries=1 --spider 
http://localhost:8080 || exit 1

should do it. If either guacd or the client are not properly loaded, wget will 
return a server error, so it would report a bad health check.
CheersAntoine


Le mardi 14 novembre 2023 à 08:22:46 UTC+1, miao  a écrit 
:  
 
 Hi ,
  Is there some health check uri for guacamole and guacd when run it as docker 
container? 
  Thx


Regards

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Guacamole pen-test

2023-11-14 Thread Michael Jumper 

On 11/14/2023 12:20 AM, Maciej Konigsman wrote:

Hi,

My organization pen-tested a Guacamole instance (version 1.5.3).
One of the findings is related to "OWASP – Broken Access Control"
http://www.owasp.org/index.php/Broken_Access_Control 



When the user group is configured without any permissions the user 
should be able to execute connections without rights to view connections 
parameters.
When I open the following paths being just part of a group without 
permissions I can view the connection details. I'm not able to modify 
it. Is it a bug or feature?

/#/manage/mysql/connectionGroups/1
/#/manage/mysql/connections/
/#/manage/mysql/connectionGroups/



What you are seeing are UI components filled with whatever data you do 
have permission to access. It is not possible to retrieve connection 
parameters for a connection that you do not have permission to 
administer/update, and this is enforced at the REST API level.


You can retrieve non-sensitive attributes, the protocol, the name, etc. 
as long as you have access to read the connection, but you will not be 
able to retrieve any connection parameters unless you have explicit 
administer/update permission.


If your organization encounters anything else, or has questions about 
the above, please DO NOT use the user@ list to ask questions about 
issues that you believe may be security related. Instead, send an email to:


secur...@guacamole.apache.org

The above is a private list specifically intended for such 
questions/reports. There is no need to subscribe to post to security@.


- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

screen tearing with RDP

2023-11-14 Thread M Anon 
We are testing Apache Guacamole to try to address digital inequity in our
school where students who cannot afford high-end devices can still use
software like Fusion360. We have it on what we think is an adequately
powered VM (8GB RAM + 2 vCPUs). We are not running NGINX on it because it
is internal use only (students connect their devices to the school Wi-Fi to
access it) and not exposed to anywhere else. The RDP hosts are not VMs but
are physical desktops. We find that when we connect via an RDP client
directly to the physical desktop, there is no screen tearing but when we
connect to it via Guacamole, the screen tearing is bad.

Our reading of the manual seems to indicate that NGINX only provides a
security layer and does not affect performance. Is this right?

What else can we look at to improve the situation?

Re: screen tearing with RDP

2023-11-14 Thread Michael Jumper 

On 11/14/2023 2:50 PM, M Anon wrote:


We are testing Apache Guacamole to try to address digital inequity in 
our school where students who cannot afford high-end devices can still 
use software like Fusion360. We have it on what we think is an 
adequately powered VM (8GB RAM + 2 vCPUs). We are not running NGINX on 
it because it is internal use only (students connect their devices to 
the school Wi-Fi to access it) and not exposed to anywhere else. The RDP 
hosts are not VMs but are physical desktops. We find that when we 
connect via an RDP client directly to the physical desktop, there is no 
screen tearing but when we connect to it via Guacamole, the screen 
tearing is bad.


What RDP server is being used?



Our reading of the manual seems to indicate that NGINX only provides a 
security layer and does not affect performance. Is this right?




That's correct.


What else can we look at to improve the situation?


Try a build of guacd from the master branch of git and see if that 
improves things. That branch contains a partial implementation of 
support for the "Graphics Pipeline Extension" of RDP, which *should* 
eliminate the tearing.


Tearing in RDP is due to the heuristics used to detect frame boundaries. 
These heuristics are necessary when the underlying protocol lacks any 
means of explicitly telling Guacamole where these frames are. Tearing 
occurs when Guacamole detects changes in timing that suggest a frame 
boundary, but our human eyes ultimately disagree after that frame is 
rendered.


Historically, RDP just sent a series of graphical updates and did not 
have any mechanism to indicate to the client (Guacamole) that one frame 
has ended and another is beginning. For these cases, Guacamole relies on 
timing-based heuristics to detect when all data associated with a frame 
has likely been received. These heuristics and inherently best-effort 
guesses and will not always be correct.


This changed in newer versions of Windows and RDP with the addition of 
the "Graphics Pipeline Extension" (RDPGFX). With RDPGFX, the RDP 
protocol *does* have a way to tell Guacamole where frames end/begin, and 
Guacamole takes advantage of this.


- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to access the connection object from UserContext

2023-11-14 Thread Mackie Gippets 
Hi Mike,

What I'm aiming to do is the ability to modify the initial-program
configuration setting (from
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings)
when a particular user is signed-in through the web interface.

The configuration option change shouldn't modify the saved value, but the
connection should proceed with the modified initial-program configuration
value for the session only.

Ideally, we would like to be able to do this using Javascript (through
guacamole-common-js), but I wasn't clear on how the UserContext object can
be accessed through it.

Regards,


On Tue, Nov 14, 2023 at 5:36 PM Michael Jumper  wrote:

> On 11/13/2023 7:55 PM, Mackie Gippets wrote:
> > Hi,
> >
> > I would like to be able to access the connection object (using
> > Javascript) when a user is signed in from the guacamole-client web
> > interface.
> >
> > When the connection object is obtained, I would like to be able to
> > modify the value in the initial-program configuration option (the
> > connection type in this context is RDP) and continue connecting using
> > the modified value without changing the stored configuration value
> > (non-persistent).
> >
> > The guacamole-ext documentation suggests that this can be achieved
> > through the UserContext object. However, there is very limited
> > documentation on how this object should be used in practice. A search on
> > Stack Overflow also doesn't return any examples of how to use this
> object.
> >
>
> Can you describe what you're looking to achieve at a high level?
>
> - Mike
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>