Re: guacd error segfault in libguac-client-rdp.so.0.0.0

2023-06-12 Thread Jürgen Kuri 

Hello Gabriel, hello Nick & Mike,

I'm also one the users which had problems with disconnects in an earlier 
release (guacd 1.4.0). There were also core dumps with earlier releases 
(1.2.0) in a different connection which I can't remember anymore (as far 
as I recall for that I also created a ticket). At that time I opened a 
detailed ticket and provided core dumps and backtraces.


I don't know if got this already but for generating core dumps you have 
to prepare your system. Normally, per default, writing core dumps to 
disk is disabled (RLIMIT_CORE). Before you start a process, here guacd, 
you have to enable it. So type ulimit -a (for all limits or -c, just 
seeing the core dump limit) in your shell:


    $ ulimit -a

real-time non-blocking time  (microseconds, -R) unlimited
core file size  (blocks, -c) 0
data seg size   (kbytes, -d) unlimited
scheduling priority (-e) 0
file size   (blocks, -f) unlimited
pending signals (-i) 126355
max locked memory   (kbytes, -l) 4070536
max memory size (kbytes, -m) unlimited
open files  (-n) 1024
pipe size    (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority  (-r) 0
stack size  (kbytes, -s) 8192
cpu time   (seconds, -t) unlimited
max user processes  (-u) 126355
virtual memory  (kbytes, -v) unlimited
file locks  (-x) unlimited

As you can see "0" meaning max. allowed core file size is 0 bytes. Type:

    $ ulimit -c unlimited

for unlimited core file size. Start here in this updated environment guacd.

You can also, before you start guacd, define - globally - the path where 
the dumps are written to and with macros the specification of the file 
name. Type


    $ man core

for details.

I'm really keen on hearing if the core dump problems are solved somewhen 
since I experienced core dumps of guacd in different connections not 
only what is discussed here. There were also some on weak connections 
with small bandwidth in connection with audio (microphone).


Also intresting to hear to rebuild the FreeRDP library - did it help?

I hope, I could help you a little bit.

Hasta la próxima.

Jorge


On 07.06.23 19:25, Gabriel Huerta Araujo wrote:

I found this log information (syslog)

Jun  7 11:14:50 tmxqrocnsG5 guacd[156163]: RDP server closed/refused 
connection: Manually logged off.
Jun  7 11:14:50 tmxqrocnsG5 guacd[156163]: guacd[156163]:INFO:#011RDP  server 
closed/refused connection: Manually logged off.
Jun  7 11:14:50 tmxqrocnsG5 guacd[156163]: Internal RDP client disconnected
Jun  7 11:14:50 tmxqrocnsG5 guacd[156163]: guacd[156163]:INFO:#011Internal  RDP 
client disconnected
Jun  7 11:14:50 tmxqrocnsG5 kernel: [205223.091624] guacd[156169]: segfault at 
10 ip 7fa1fc3e3622 sp 7f9f92573c80 error 4 in 
libguac-client-rdp.so.0.0.0[7fa1fc3d1000+1a000]
Jun  7 11:14:50 tmxqrocnsG5 kernel: [205223.091653] Code: 00 be 03 00 00 00 48 89 ef 
e8 8a e9 fe ff b8 01 00 00 00 e9 7a ff ff ff 53 48 8b 07 48 89 fb 48 89 de 48 8b 40 
10 48 8b 40 20 <48> 8b 78 10 e8 25 e9 fe ff 8b 43 18 85 c0 74 0e 31 c0 5b c3 66 
2e
Jun  7 11:14:50 tmxqrocnsG5 guacd[568]: Connection 
"$fcf2766d-53e1-40da-9874-8fb9cd08e2e1" removed.
Jun  7 11:14:50 tmxqrocnsG5 guacd[568]: guacd[568]:INFO:#011Connection  
"$fcf2766d-53e1-40da-9874-8fb9cd08e2e1" removed.
Jun  7 11:15:00 tmxqrocnsG5 guacd[568]: Creating new client for protocol "rdp"
Jun  7 11:15:00 tmxqrocnsG5 guacd[568]: guacd[568]:INFO:#011Creating  new client for 
protocol "rdp"
Jun  7 11:15:00 tmxqrocnsG5 guacd[568]: Connection ID is 
"$205fff34-792b-43b1-9d4c-c5a53af7edc3"
Jun  7 11:15:00 tmxqrocnsG5 guacd[568]: guacd[568]:INFO:#011Connection  ID is 
"$205fff34-792b-43b1-9d4c-c5a53af7edc3"
Jun  7 11:15:00 tmxqrocnsG5 guacd[157660]: FreeRDP initialization may fail: The current 
user's home directory ("/usr/sbin") is not writable, but FreeRDP generally 
requires a writable home directory for storage of configuration files and certificates.
Jun  7 11:15:00 tmxqrocnsG5 guacd[157660]: guacd[157660]: WARNING:#011FreeRDP 
initialization may fail: The current user's home directory ("/usr/sbin") is not 
writable, but FreeRDP generally requires a writable home directory for storage of 
configuration files and certificates.
Jun  7 11:15:00 tmxqrocnsG5 guacd[157660]: guacd[157660]:INFO:#011No  security 
mode specified. Defaulting to security mode negotiation with server.
Jun  7 11:15:00 tmxqrocnsG5 guacd[157660]: guacd[157660]:INFO:#011Resize  
method: none
Jun  7 11:15:00 tmxqrocnsG5 guacd[157660]: guacd[157660]:INFO:#011No  clipboard 
line-ending normalization specified. Defaulting to preserving the format of all 
line endings.
Jun  7 11:15:00 tmxqrocnsG5 guacd[157660]: guacd[157660]:INFO:#011User  
"@36c63a3c-96eb-452d-bef9-c8490c5cb12f" joined connection 
"$205fff34-792b-43b1-9d4c-c5

Re: Guacamole re-connection attempts never stop... they should?

2022-06-01 Thread Jürgen Kuri 

Suggestion:

1) keep endless reconnect as default

2) have two connection specific and / or global parameter:
   a. number of retries
   b. retry interval

3) if we have these parameters as global and on connection level, global is 
overwritten for specific connection if defined

El 31.05.22 a las 22:44, Lee Doughty escribió:

Hello Guacamole Community,

I tried asking this a few weeks ago, but it looks like there was not a lot of 
traction on this idea.. but I wanted to try one more time before I gave up on 
it.

I think it would be a great feature to stop auto-reconnect attempts that are simply not 
connecting after several dozen attempts. I've seen in our logs that some users hit the 
"Reconnect" button or otherwise get into a reconnect loop, then leave the tab 
open for hours *or days*. This results in our guacamole server getting a ping every 
minute or so from a user trying to connect to a VM that is not available, and they just 
leave it retrying over and over again.

It would be nice to at least require user interaction to resume the connection 
attempts... So users have to return to the tab every N attempts to restart the 
countdown, instead of the current never-ending loop... I'm not suggesting any 
value for N... because any reasonable value would be nice over infinite. My 
record was somewhere in the ballpark of 7,000 attempts (5 days) before the user 
was kind enough to close the tab and stop poking our Guacamole server.

Is this something that can make it into an upcoming Guacamole release?

-Lee


--
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacd segmentation fault

2022-02-11 Thread Jürgen Kuri 
El 11.02.22 a las 14:33, Nick Couchman escribió:
> On Fri, Feb 11, 2022 at 5:19 AM Jürgen Kuri  <mailto:juergen.k...@ionos.com>> wrote:
> 
> El 10.02.22 a las 14:27, Vieri escribió:
> > Hi,
> >
> > Everything seems to work fine on my system except for RDP connections. 
> In syslog I can see this segfault:
> >
> > guacd[122526]: freerdp_connect:freerdp_set_last_error_ex resetting 
> error state
> > guacd[122526]: Support for CLIPRDR (clipboard redirection) registered. 
> Awaiting channel connection.
> > guacd[122526]: Support for static channel "rdpdr" loaded.
> > guacd[122526]: Support for static channel "rdpsnd" loaded.
> > guacd[122526]: Local framebuffer format  PIXEL_FORMAT_BGRX32
> > guacd[122526]: Remote framebuffer format PIXEL_FORMAT_BGR24
> > guacd[122526]: primitives autodetect, using optimized
> > guacd[122526]: 
> freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error 
> state
> > guacd[122526]: freerdp_tcp_connect:freerdp_set_last_error_ex resetting 
> error state
> > guacd[122526]: CLIPRDR (clipboard redirection) channel connected.
> > guacd[122526]: SVC "rdpdr" connected.
> > guacd[122526]: SVC "rdpsnd" connected.
> > guacd[113519]: Connection "$f0fb71d3-4e98-44e9-96ee-a8971f9a3227" 
> removed.
> > kernel: guacd[122620]: segfault at 10 ip 7f0a4039ee7e sp 
> 7f0a38f29c28 error 4 in libguac-client-rdp.so.0.0.0[7f0a4039b000+1a000]
> > kernel: Code: 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f e9 6b c7 ff ff 66 66 
> 2e 0f 1f 84 00 00 00 00 00 48 8b 07 45 31 c0 48 8b 40 10 48 8b 50 50 <8b> 52 
> 10 85 d2 7f 07 48 83 78 58 00 74 04 44 89 c0 c3 44 8b 47 20
> >
> > I'm using freerdp 2.4.1.
> >
> > Any ideas?
> >
> > Vieri
> >
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org 
> <mailto:user-unsubscr...@guacamole.apache.org>
> > For additional commands, e-mail: user-h...@guacamole.apache.org 
> <mailto:user-h...@guacamole.apache.org>
> >
> 
> Hi,
> 
> you're not the only one experiencing it. There are meanwhile two tickets:
> 
>         * https://issues.apache.org/jira/browse/GUACAMOLE-1505 
> <https://issues.apache.org/jira/browse/GUACAMOLE-1505>
> 
>         * https://issues.apache.org/jira/browse/GUACAMOLE-1496 
> <https://issues.apache.org/jira/browse/GUACAMOLE-1496>
> 
> 
> Maybe you'll see something eye-catching there which might help us.
> -- 
> 
> 
> I can confirm that I'm seeing similar segfaults to both the above in this 
> message and the two Jira issues, and I'm attempting to get a good coredump 
> and evaluate the crashes. I think one of the Jira issues also had a backtrace 
> in it, so I'll look and see what I can figure out.
> 
> -Nick

Hi Nick,

The ticket

* https://issues.apache.org/jira/browse/GUACAMOLE-1505

has backtraces and core dumps attached.

-- 
Thanks
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacd segmentation fault

2022-02-11 Thread Jürgen Kuri 
El 10.02.22 a las 14:27, Vieri escribió:
> Hi,
> 
> Everything seems to work fine on my system except for RDP connections. In 
> syslog I can see this segfault:
> 
> guacd[122526]: freerdp_connect:freerdp_set_last_error_ex resetting error state
> guacd[122526]: Support for CLIPRDR (clipboard redirection) registered. 
> Awaiting channel connection.
> guacd[122526]: Support for static channel "rdpdr" loaded.
> guacd[122526]: Support for static channel "rdpsnd" loaded.
> guacd[122526]: Local framebuffer format  PIXEL_FORMAT_BGRX32
> guacd[122526]: Remote framebuffer format PIXEL_FORMAT_BGR24
> guacd[122526]: primitives autodetect, using optimized
> guacd[122526]: freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex 
> resetting error state
> guacd[122526]: freerdp_tcp_connect:freerdp_set_last_error_ex resetting error 
> state
> guacd[122526]: CLIPRDR (clipboard redirection) channel connected.
> guacd[122526]: SVC "rdpdr" connected.
> guacd[122526]: SVC "rdpsnd" connected.
> guacd[113519]: Connection "$f0fb71d3-4e98-44e9-96ee-a8971f9a3227" removed.
> kernel: guacd[122620]: segfault at 10 ip 7f0a4039ee7e sp 7f0a38f29c28 
> error 4 in libguac-client-rdp.so.0.0.0[7f0a4039b000+1a000]
> kernel: Code: 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f e9 6b c7 ff ff 66 66 2e 0f 
> 1f 84 00 00 00 00 00 48 8b 07 45 31 c0 48 8b 40 10 48 8b 50 50 <8b> 52 10 85 
> d2 7f 07 48 83 78 58 00 74 04 44 89 c0 c3 44 8b 47 20
> 
> I'm using freerdp 2.4.1.
> 
> Any ideas?
> 
> Vieri
> 
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 

Hi,

you're not the only one experiencing it. There are meanwhile two tickets:

* https://issues.apache.org/jira/browse/GUACAMOLE-1505

* https://issues.apache.org/jira/browse/GUACAMOLE-1496


Maybe you'll see something eye-catching there which might help us.
-- 

Thanks
Jürgen


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

2022-01-12 Thread Jürgen Kuri 
El 11.01.22 a las 22:21, Mike Jumper escribió:
> Severity: high
> 
> Description:
> 
> Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
> received from a SAML identity provider. If SAML support is enabled,
> this may allow a malicious user to assume the identity of another
> Guacamole user.
> 
> Credit:
> 
> We would like to thank Finn Steglich (ETAS) for reporting this issue.
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 
Hello,

which component is affected here, backend (guacd) or frontend (.war) or both?

-- 
Thanks
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread Jürgen Kuri 
El 11.01.22 a las 22:21, Mike Jumper escribió:
> Severity: moderate
> 
> Description:
> 
> Apache Guacamole 1.3.0 and older may incorrectly include a private
> tunnel identifier in the non-private details of some REST responses.
> This may allow an authenticated user who already has permission to
> access a particular connection to read from or interact with another
> user's active use of that same connection.
> 
> Credit:
> 
> We would like to thank Damian Velardo (Australia and New Zealand
> Banking Group) for reporting this issue.
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 
Hello,

which component is affected here, backend (guacd) or frontend (.war) or both?

-- 
Thanks
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: enable-font-smoothing - Network Overhead

2021-11-29 Thread Jürgen Kuri 
Hello Adrian,

I was really keen on your results! Interesting nothing has changed since then. 
Good job! I enabled font smoothing for all connections since it really makes a 
difference. Legibility is better and users honour it. To me, bad remote working 
conditions is not an option just for the sake of saving network bandwidth.

El 27.11.21 a las 16:57, Adrian Owen escribió:
> Hi Nick,
> 
>  
> 
>> First, I'm not sure that I understand what the various test cases mean. I 
>> don't know what "NOT Smoothing NOT text" means? Maybe that smooth is 
>> disabled and you're not display text?
> 
>  
> 
> NOT Text = Start RDP Session and don’t start an apps.
> 
> NOT Smoothing = Font smoothing not enabled.
> 
>  
> 
> It’s for special use case. Screenshot with smooth fonts plays better with OCR.
> 
>  
> 
> Interestingly the 11 year old post on Smooth Font RDP bandwidth is still 
> correct. No change.
> 
>  
> 
> Thanks, Adrian
> 
>  
> 
> ,
> 
> *From:*Nick Couchman [mailto:vn...@apache.org]
> *Sent:* 27 November 2021 15:23
> *To:* user@guacamole.apache.org
> *Subject:* Re: enable-font-smoothing - Network Overhead
> 
>  
> 
> On Sat, Nov 27, 2021 at 4:02 AM Adrian Owen  > wrote:
> 
> Hi Nick,
> 
> Test results:
> 
> Chrome Browser 1200 x 800
> Debian Buster Guacamole 1.2
> Target Windows 2016 Server
> 
> Total Network Bytes. 4 x 30 second RDP Sessions.
> 
> Font Smoothing Test             Target->Guacamole(3389 RDP)     
> Guacamole->Browser(443 HTTP)
> 
> 
> NOT Smoothing NOT text  312                             21K
> NOT Smoothing AND text  381K                            221K
> Smoothing NOT text              312                             21K
> Smoothing AND text              1054K                           496K
> 
> Font smoothing enabled = 300% RDP increase, 200% HTTP increase.
> 
> Could the HTTP increase be reduced?
> 
>  
> 
> First, I'm not sure that I understand what the various test cases mean. I 
> don't know what "NOT Smoothing NOT text" means? Maybe that smooth is disabled 
> and you're not display text?
> 
>  
> 
> However, I would say that if "Smoothing AND text" means that you've got font 
> smoothing enabled and a lot of text, the RDP session is having to process a 
> lot of edges of many pixels on the screen in order to smooth all of the text 
> on the screen, and this is necessarily going to mean that more regions of the 
> screen need to be updated and smoothed, which is naturally going to result in 
> larger amounts of data going back and forth. It's also worth pointing out 
> that the presence of text seems, itself, to be a driver for bandwidth - if 
> you're using 21K without text, and 221K with text, that's a 10x increase in 
> bandwidth utilization. It's only double that amount when you smooth it, so 
> that's less the issue than the presence of text.
> 
>  
> 
> As far as what can be done to limit the HTTP increase - you have part of your 
> answer - don't enable font smoothing (which appears to double the bandwidth 
> requirement. Beyond that, I'm not sure anything can be done.
> 
>  
> 
> That said, are you running into situations where bandwidth or network 
> utilization related to Guacamole is a problem? Guacamole is reasonably good 
> at 1) using the available resources, including bandwidth, but then, 2) 
> balancing connections over the available resources to avoid one connection 
> monopolizing the resources. If you're not seeing any issues, and you're 
> scaling up the number of connections, then I wouldn't worry about it until 
> you're actually seeing problems.
> 
>  
> 
> -Nick
> -- 

Thanks
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [Feature Request] Network "Hog" Identification for Connections

2021-11-05 Thread Jürgen Kuri 
El 05.11.21 a las 13:28, Nick Couchman escribió:
>> On Fri, Nov 5, 2021 at 7:50 AM Jürgen Kuri > <mailto:juergen.k...@ionos.com>> wrote:
>> 
>> Hello,
>> 
>> it would be nice for admin users to have a possibility in the web 
>> frontend to quickly identify current connections which consume a lot of 
>> network bandwidth (kind of ranking of network packet count or so). This is 
>> useful and more convenient if you have several simultaneous connections and 
>> several Guacamole instances balanced and concentrated with a BGP network 
>> router setup. For admins which are not so familiar with tools like netstat, 
>> iptraf and friends it is extremely helpful.
> 
> 
> If you'd like to request a feature, Jira is the place to do it:
> https://issues.apache.org/jira/browse/GUACAMOLE 
> <https://issues.apache.org/jira/browse/GUACAMOLE>
>  
> 
>> Because of several Guacamole instances concentrated via BGP network 
>> routers (from outside there is only visible one Guacamole access URL), the 
>> network bandwidth utilisation values must be somewhere CENTRALLY stored and 
>> updated in the Guacamole SQL database. These single and concentrated 
>> Guacamole instances (frontend and backend) share all the same database here 
>> in our setup. So, "logically" or from application "high level" view it is 
>> just one instance with one access URL from the internet. This is for 
>> example, why we see in the web frontend below "Active Sessions" not all 
>> active sessions, just the ones to that internet frontend where the admin's 
>> web session is routed to but not the ones from the neighbor internet 
>> frontends.
> 
> 
> This would likely need to be thought out a little bit more thoroughly. I see 
> a couple of issues with this:
> * Depending on what type of information and how much you plan to store in the 
> database, this could cause a rapid growth in the size of the database. It 
> might be possible to add a couple of fields - total packet count, and total 
> byte count, or total in packets, total out packets, total in bytes, and total 
> out bytes - that could be tracked and updated periodically for active and 
> historical connection information.
Yes, if we want to historicize network metrics from past session, the database 
will grow. Of course, I had that in my mind when I wrote this feature request, 
this what admins want to have and let beat their hearts higher. But for the 
first step, covering the need, the indentification of the "hogs", additional 
database fields with the network metrics which are updated, let's say every 30 
seconds (configurable update interval?) would be sufficient enough for the need 
here. And, of course, when the session for a specific connection ends or latest 
when a new future session is initiated for the same connection, the metrics in 
the database are reset! So, this single metric fields just reflects a momentary 
situation but this is enough to make a ranking for a quick identification of 
the hogs. And, in order to reduce database and network strain , especially if 
we have multiple simultaneous proxy sessions, guacd and the Java application 
should send the network metrics in transaction aggregates for all current 
connections. This is good for the network (less round trips) and the database 
which performs the updates of the aggregated metrics with a view I/O accesses. 
For that purpose it is sufficient not to have very up-to-date network metric 
information.

A leight weight approach for a kind of historiography of network consumption 
could be an extra database table with one row per connection and the network 
metrics. This table acts like a scoreboard. At the end of a specific connection 
session the values are updated in that scoreboard table. The web frontend 
presents that session scoreboard in descending order with the network 
utilisation hogs at the top.


> But, if you're wanting to store a bunch of historic information about when 
> connections hogged the bandwidth, you're talking about a lot of additional 
> data (RRD-style).
Sorry, not agree fully, at least not from the storage space footprint 
perspective if you allude to this. You don't want to keep this data years. I 
think for trouble shooting two to four weeks is probably more than enough. That 
might be different if you want to use this data e.g. for accounting or so.


> * Depending on how often you'd want it updated, this could result in quite a 
> heavy load just tracking this information. If you had 100 active connections, 
> and you wanted the data updated every second, or even every 10 seconds, this 
> would add quite a bit of load to what is otherwise a relatively light-weight 
> and low-util

[Feature Request] Network "Hog" Identification for Connections

2021-11-05 Thread Jürgen Kuri 
Hello,

it would be nice for admin users to have a possibility in the web frontend to 
quickly identify current connections which consume a lot of network bandwidth 
(kind of ranking of network packet count or so). This is useful and more 
convenient if you have several simultaneous connections and several Guacamole 
instances balanced and concentrated with a BGP network router setup. For admins 
which are not so familiar with tools like netstat, iptraf and friends it is 
extremely helpful. 

Because of several Guacamole instances concentrated via BGP network routers 
(from outside there is only visible one Guacamole access URL), the network 
bandwidth utilisation values must be somewhere CENTRALLY stored and updated in 
the Guacamole SQL database. These single and concentrated Guacamole instances 
(frontend and backend) share all the same database here in our setup. So, 
"logically" or from application "high level" view it is just one instance with 
one access URL from the internet. This is for example, why we see in the web 
frontend below "Active Sessions" not all active sessions, just the ones to that 
internet frontend where the admin's web session is routed to but not the ones 
from the neighbor internet frontends.
--

Thanks
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: RBAC, User Permissions

2021-11-02 Thread Jürgen Kuri 
Hello Nick,

yes, it works as you said. If a user has the CREATE_USER and CREATE_CONNECTION 
system permission privilege (table guacamole_system_permission) he/she can 
create user and connection resources with access (ADMINISTER privilege 
subsuming READ, UPDATE and DELETE). My use case however is, I have two 
department admins both need full resource access, no matter which one of both 
created the resource. If admin A creates a user or connection resource, A has 
full access (Administer) while admin B has not and vice versa. Creating a dept 
admin group with CREATE_USER and CREATE_CONNECTION privilege and put both, A 
and B into it, doesn't cover my use case. If I look into the database scheme it 
doesn't seem to me as this use case is applicable. I can add to table 
guacamole_user_permission admin B to a user resource owned by A by some extra 
INSERT statements with cumulative entity_id - affected_user_id - permission 
records and I have what I want. It will not work however as expected at first 
glance with the guacamole_user_group_permission table

desc guacamole_user_group_permission;
++-+--+-+-+---+
| Field  | Type| Null | 
Key | Default | Extra |
++-+--+-+-+---+
| entity_id  | int(11) | NO   | 
PRI | NULL|   |
| affected_user_group_id | int(11) | NO   | 
PRI | NULL|   |
| permission | enum('READ','UPDATE','DELETE','ADMINISTER') | NO   | 
PRI | NULL|   |
++-+--+-+-+---+

"entity_id" seems to be seen here just in USER_GROUP entity context. A record 
here by an extra INSERT statement with the entity_id of a USER entity (in my 
case admin A and B) will not work.

Same for connection resources, I can cumulate it in the same way to table 
guacamole_connection_permission by associating entity_id's from different USER 
entities but however the same, it will not work for GROUP entities. The table 
guacamole_connection_group seems to be something completely different, I cannot 
associate user or user group entities with connection entities.

Doing some extra INSERT DML's whenever admin A or B has created a new user or 
connection resource via web frontend is not what I want.

The only solution, as far as I understand, is to give admin A and B the system 
permission privilege ADMINISTER (guacamole_system_permission) but this implies 
at the same time full Guacamole instance access what I do not want for my use 
case. 

Do I see it right, my use case is not applicable or is there still little hope 
cause I overlooked or misunderstood something?


Thank you

Jürgen

El 26.10.21 a las 20:03, Nick Couchman escribió:
> (Adding back the mailing list)
> 
> 
> On Tue, Oct 26, 2021 at 12:53 PM Jürgen Kuri  <mailto:juergen.k...@ionos.com>> wrote:
> 
> My Guacamole instance is running for more than a year or so. Initially, I 
> filled the database with users, user groups and connections "manually" 
> according to the instructions in
> 
> http://guacamole.apache.org/doc/gug/jdbc-auth.html 
> <http://guacamole.apache.org/doc/gug/jdbc-auth.html>:
> 
> -- Generate salt
> SET @salt = UNHEX(SHA2(UUID(), 256));
> 
> -- Create base entity entry for user
> INSERT INTO guacamole_entity (name, type)
> VALUES ('myuser', 'USER');
> 
> -- Create user and hash password with salt
> INSERT INTO guacamole_user (
>     entity_id,
>     password_salt,
>     password_hash,
>     password_date
> )
> SELECT
>     entity_id,
>     @salt,
>     UNHEX(SHA2(CONCAT('mypassword', HEX(@salt)), 256)),
>     CURRENT_TIMESTAMP
> FROM guacamole_entity
> WHERE
>     name = 'myuser'
>     AND type = 'USER';
> 
> 
> Similar I did for the creation of connections and user mappings by 
> INSERTS into the guacamole_connection, guacamole_connection_permission and 
> guacamole_connection_parameter.
> 
> 
> Cause I'm not understand fully, especially how connections are mapped in 
> a way like "entity_id" -> 
> "affected_connection_id/affected_connection_group_id", I just created:
> 
>         1) a user "blah-blah-user"
> 
>         2) a connection "blah-blah-host"
> 
>         3) associated "blah-blah-user" with "blah-blah-host"
> 
> via web frontend.

Re: RBAC, User Permissions

2021-10-27 Thread Jürgen Kuri 
El 26.10.21 a las 20:03, Nick Couchman escribió:
> (Adding back the mailing list)
> 
> 
> On Tue, Oct 26, 2021 at 12:53 PM Jürgen Kuri  <mailto:juergen.k...@ionos.com>> wrote:
> 
> My Guacamole instance is running for more than a year or so. Initially, I 
> filled the database with users, user groups and connections "manually" 
> according to the instructions in
> 
> http://guacamole.apache.org/doc/gug/jdbc-auth.html 
> <http://guacamole.apache.org/doc/gug/jdbc-auth.html>:
> 
> -- Generate salt
> SET @salt = UNHEX(SHA2(UUID(), 256));
> 
> -- Create base entity entry for user
> INSERT INTO guacamole_entity (name, type)
> VALUES ('myuser', 'USER');
> 
> -- Create user and hash password with salt
> INSERT INTO guacamole_user (
>     entity_id,
>     password_salt,
>     password_hash,
>     password_date
> )
> SELECT
>     entity_id,
>     @salt,
>     UNHEX(SHA2(CONCAT('mypassword', HEX(@salt)), 256)),
>     CURRENT_TIMESTAMP
> FROM guacamole_entity
> WHERE
>     name = 'myuser'
>     AND type = 'USER';
> 
> 
> Similar I did for the creation of connections and user mappings by 
> INSERTS into the guacamole_connection, guacamole_connection_permission and 
> guacamole_connection_parameter.
> 
> 
> Cause I'm not understand fully, especially how connections are mapped in 
> a way like "entity_id" -> 
> "affected_connection_id/affected_connection_group_id", I just created:
> 
>         1) a user "blah-blah-user"
> 
>         2) a connection "blah-blah-host"
> 
>         3) associated "blah-blah-user" with "blah-blah-host"
> 
> via web frontend. Now, to my surprise, I cannot find the user 
> "blah-blah-user" neither in table guacamole_entity nor in guacamole_user. 
> Same with connection "blah-blah-host" in table guacamole_connection and 
> needless to say not in guacamole_connection_permission and 
> guacamole_connection_parameter.
> 
> 
> If you create this in the web frontend and don't see the corresponding 
> database entries, then you're either looking at the wrong database or schema, 
> or you're looking at a replica of some sort that isn't consistent, yet. Make 
> sure you're connecting to the same database that your web front-end is using, 
> as configured in guacamole.properties.
I don't know what went on in the back. Database is not operated by me. I have 
an opened mysql command line client where I do normally my DML statements and I 
see changes I made with it instantly. As told, the frontend changes I did not - 
yesterday evening. This morning, I left the mysql command line client open and 
running (it is open since October 4th), I could see the new rows created by the 
frontend yesterday evening. Yes, the DB instance is replicated but only one 
side is normally accessible for servicing. I'll talk with DB-guys about it, 
this is unexpected. Normally I do all DML via command line client not via 
frontend since have to process numerous records. Sorry, for bothering you with 
this. I'll try now what I initially wanted to do.

> 
> -Nick

Thank you
-- 
Jürgen


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Fwd: RBAC, User Permissions

2021-10-26 Thread Jürgen Kuri 
Hello,

for my use case I want to have two different kinds of Guacamole administrators, 
one "system admin" which administers the entire instance and has full access to 
all resources and a so-called "department admin" which just has access to the 
resources of his department, users, user groups and connections. If we look 
into a user or a user group profile via web frontend, we see below section 
"PERMISSIONS" the following privileges:

Administer system
Create new users
Create new user groups
Create new connections
Create new connection groups
Create new sharing profiles
Change own password

For the "department admin" role the privileges "Create new users" and "Create 
new connections" is what I want. If I grant some user these two, he/she just 
can do so as literally described, just create new users or connections. But 
this is just half of the battle. Such an admin should be able to do the full 
life cycle management of users and connections, create, update (user - host 
associations) and delete them. If I take a closer look into the database, the 
tables

* guacamole_connection_group_permission
* guacamole_connection_permission
* guacamole_sharing_profile_permission
* guacamole_system_permission
* guacamole_user_group_permission
* guacamole_user_permission

catching my eye. These entity mapping tables all have this ENUM value column 
"permission" with the possible value 
enum('READ','UPDATE','DELETE','ADMINISTER') except for table 
guacamole_system_permission with the ENUM values 
enum('CREATE_CONNECTION','CREATE_CONNECTION_GROUP','CREATE_SHARING_PROFILE','CREATE_USER','CREATE_USER_GROUP','ADMINISTER'),
 not such an entity mapping table.

Is it somehow possible by doing some INSERT statements to model such a 
"department admin" role as described? If not with all features I want, maybe 
partially meaning a little bit more than just create users and connections? 
Update of user-connection association would be good. Or do I misinterpret these 
mapping tables completely and they are used for something else not coming into 
my mind?

Thank you for helping me with this.
-- 
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org