You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by GitBox <gi...@apache.org> on 2022/01/30 11:57:13 UTC
[GitHub] [guacamole-client] sirux88 opened a new pull request #694: GUACAMOLE-1524: Importing LDAPS certificate into docker container
sirux88 opened a new pull request #694:
URL: https://github.com/apache/guacamole-client/pull/694
associated JIRA: https://issues.apache.org/jira/browse/GUACAMOLE-1524
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@guacamole.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] sirux88 commented on a change in pull request #694: GUACAMOLE-1524: Importing LDAPS certificate into docker container
Posted by GitBox <gi...@apache.org>.
sirux88 commented on a change in pull request #694:
URL: https://github.com/apache/guacamole-client/pull/694#discussion_r800056710
##########
File path: Dockerfile
##########
@@ -62,6 +62,9 @@ ARG GID=1001
RUN groupadd --gid $GID guacamole
RUN useradd --system --create-home --shell /usr/sbin/nologin --uid $UID --gid $GID guacamole
+# allow guacamole user to import certificates into default java keystore file cacerts
+run chown guacamole /usr/local/openjdk-8/jre/lib/security/cacerts && chmod +w /usr/local/openjdk-8/jre/lib/security/cacerts
Review comment:
@mike-jumper:
I reviewed all the stuff once again and came to the conclusion that there's a easier and more overall solution.
It ended up in [allow-jsk-usage](https://github.com/sirux88/guacamole-client/tree/allow-jsk-usage)
I would suggest closing this topic as well as the JIRA issue and creating new ones.
Please give me a short hint if this is fine for you.
I'll then do all the steps
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@guacamole.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] sirux88 commented on a change in pull request #694: GUACAMOLE-1524: Importing LDAPS certificate into docker container
Posted by GitBox <gi...@apache.org>.
sirux88 commented on a change in pull request #694:
URL: https://github.com/apache/guacamole-client/pull/694#discussion_r797332871
##########
File path: Dockerfile
##########
@@ -62,6 +62,9 @@ ARG GID=1001
RUN groupadd --gid $GID guacamole
RUN useradd --system --create-home --shell /usr/sbin/nologin --uid $UID --gid $GID guacamole
+# allow guacamole user to import certificates into default java keystore file cacerts
+run chown guacamole /usr/local/openjdk-8/jre/lib/security/cacerts && chmod +w /usr/local/openjdk-8/jre/lib/security/cacerts
Review comment:
i don't like that solution either because of the same security reasons you mentioned.
To sum up my finding about java and ceritifcates:
- Only a keystorefile can be used as a certificate source within java.
- You can't load a single cert file into you application
- Importing into default keystore file for unprivileged users is not possible by default
A solution that only affects the container and provides sufficient security is not possible as far as I can assume:
- You can't run multiple CMD/ENTRYPOINT-commands within a dockerfile with different users
- Importing certifcates with RUN-Commands is nonsense since this would be done while building the image (and not starting a container)
A possible solution would be:
- create a new keystore file with all the necessary certs
- make the file read only after creating and importing
- merge it on the fly within the application with the system wide keystore (maybe with [https://github.com/1and1/CompositeJKS](https://github.com/1and1/CompositeJKS))
But since this topic only affects containers and the approach above requires some changes to the application itself I don't know if it should be done like that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@guacamole.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] mike-jumper commented on a change in pull request #694: GUACAMOLE-1524: Importing LDAPS certificate into docker container
Posted by GitBox <gi...@apache.org>.
mike-jumper commented on a change in pull request #694:
URL: https://github.com/apache/guacamole-client/pull/694#discussion_r797211243
##########
File path: Dockerfile
##########
@@ -62,6 +62,9 @@ ARG GID=1001
RUN groupadd --gid $GID guacamole
RUN useradd --system --create-home --shell /usr/sbin/nologin --uid $UID --gid $GID guacamole
+# allow guacamole user to import certificates into default java keystore file cacerts
+run chown guacamole /usr/local/openjdk-8/jre/lib/security/cacerts && chmod +w /usr/local/openjdk-8/jre/lib/security/cacerts
Review comment:
I don't think this should be done. Should something go awry in the web application, this would extend the malicious potential of that to installing certificates.
The limited-privilege user that runs the webapp shouldn't be able to alter certs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@guacamole.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] sirux88 commented on a change in pull request #694: GUACAMOLE-1524: Importing LDAPS certificate into docker container
Posted by GitBox <gi...@apache.org>.
sirux88 commented on a change in pull request #694:
URL: https://github.com/apache/guacamole-client/pull/694#discussion_r797332871
##########
File path: Dockerfile
##########
@@ -62,6 +62,9 @@ ARG GID=1001
RUN groupadd --gid $GID guacamole
RUN useradd --system --create-home --shell /usr/sbin/nologin --uid $UID --gid $GID guacamole
+# allow guacamole user to import certificates into default java keystore file cacerts
+run chown guacamole /usr/local/openjdk-8/jre/lib/security/cacerts && chmod +w /usr/local/openjdk-8/jre/lib/security/cacerts
Review comment:
i don't like that solution either because of the same security reasons you mentioned.
To sum up my finding about java and ceritifcates:
- Only a keystorefile can be used as a certificate source within java.
- You can't load a single cert file into you application
- Importing into default keystore file for unprivileged users is not possible by default
A solution that only affects the container and provides sufficient security is not possible as far as I can assume:
- You can't run multiple CMD/ENTRYPOINT-commands within a dockerfile with different users
- Importing certifcates with RUN-Commands is nonsense since this would be done while building the image (and not starting a container)
A possible solution would be:
- create a new keystore file with all the necessary certs
- make the file read only after creating and importing
- merge it on the fly within the application with the system wide keystore (maybe with [https://github.com/1and1/CompositeJKS](url))
But since this topic only affects containers and the approach above requires some changes to the application itself I don't know if it should be done like that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@guacamole.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org