At the end we've managed (had to ask to a better-coder-colleague) to
forcefully create a random path for the drive so the user cannot set
his/hers path in the guacamole WebUI.
for every session a disposable folder is created like
/mnt/drive_path/1ebbeaf-a96f-4677-80
and we clear it from time to time via crontab (example for /etc/crontab to
nuke folders older than 1 week)
4 42 * * * root find /mnt/drive_path/* -type d -ctime +7 | xargs -I {} rm
-rf {} > /dev/null 2>&1
then edited "src/protocols/rdp/settings.c"
_______________
guac_rdp_settings* guac_rdp_parse_args(guac_user* user,
int argc, const char** argv) {
________________
____stuff________
/* Force drive path to avoid filesystem lookups */
char *usn = (char *)malloc(20);
memcpy(usn, user->user_id+2, 20);
char *drvpath=(char *) malloc(1+36);
strcpy(drvpath, "/mnt/drive_path/");
strcat(drvpath,usn);
settings->drive_path =
guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_DRIVE_PATH, drvpath);
settings->drive_path = drvpath;
________________
___other_stuff_____
/* Free drive_path string */
free(drvpath);
}
___________________
Compiled and worked nicely.
Leaving this here since someone may find it useful.
(or some developer can implement "auto-generate-random-drive-path" feature)
cheers!
Il giorno mer 27 mag 2020 alle ore 22:29 Nick Couchman <vn...@apache.org>
ha scritto:
> On Wed, May 27, 2020 at 12:54 PM Lorenzo Faleschini <fungoid...@gmail.com>
> wrote:
>
>> Hi everyone.
>>
>> I've edited the sources of guacamole-server-1.1.0 to fit my needs, for
>> example: enable rdp drive, create drive, use NLA by default.
>> I've edited "src/protocols/rdp/settings.c" file and changed the needed
>> values (as here from 0 to 1)
>> -----
>> /* Drive enable/disable */
>> settings->drive_enabled =
>> guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
>> IDX_ENABLE_DRIVE, 1);
>> -----
>>
>> configured, maked, installed, restarted guacd --> all fine.
>>
>> Then I'm stucked at this point: since I let users create their
>> connections and they need to use drives, I don't want to let them specify
>> the path of the rdp drive. What I want is to have guacd to set the correct
>> path for everyone like if they diligently type in
>> "/correct/base/path/${GUAC_USERNAME}" in the Connection editor.
>>
>>
> Yeah, if you are letting users create their own connections, then they
> will be able to define the parameters however they wish. If guacd is
> running under a non-root account you should be able to make sure that
> filesystem permissions are set such that, no matter what users define, they
> can only write to a certain set of directories.
>
>
>> I've found a way that works to hardcode a path, but I can't figure out
>> how to dynamically compose the string:
>> ----
>> settings->drive_path =
>> guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv,
>> IDX_DRIVE_PATH, "");
>>
>> /* Force drive path to avoid users setting what they like or sneak in
>> other's users dirs*/
>> settings->drive_path = "/mnt/drive_path/${GUAC_USERNAME}";
>> ----
>>
>> this works in the sense that whatever a user sets in the connection the
>> path is overwritten, but the variable is not parsed so I get all users in
>> /mnt/drive_path/\$\{GUAC_USERNAME\}/ folder in the filesystem (marked the \
>> escape chars to say that's what the folder is called, it's not
>> myuser@mydomain.whatever subfolder under /mnt/drive_path).
>>
>>
> The problem, here, is the ${GUAC_USERNAME}, the token for the username, is
> evaluated on the Guacamole Client side, by the Java application, and not
> within guacd. So, if you use that substitution within a connection
> parameter, by the time the parameter gets passed through to guacd the
> substitution has already been made. guacd has no knowledge of the user
> accounts used to access Guacamole Client, so it has no way of either
> substituting these items in, nor enforcing limits for where users can point
> this directory.
>
> Your best alternative in this case is to define your static top-level
> directory (/mnt/drive_path) and then append the username value
> (settings->username) to this to get the drive path. This *should* ensure
> that they cannot enter funny values in the username box to try to escape
> the directory or get access to other user's directories, because any
> attempt to do so would also mean they are never logged on to the remote
> system, and thus wouldn't ever gain access.
>
> However, I would caution that the situation you've described is not really
> fundamentally secure - if you don't trust the users to configure any/all
> options, you shouldn't allow them to create connections at all. If you
> trust the users to create connections, then you should trust them to define
> the correct values for any/all of these options. At this point in time
> Guacamole does not contain any in-between permissions sets that would allow
> users to only define certain permissions or have admins lock values for
> permissions.
>
> -Nick
>
