You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by GitBox <gi...@apache.org> on 2020/03/27 23:19:13 UTC

[GitHub] [guacamole-client] benrubson edited a comment on issue #469: GUACAMOLE-890: Security: Allow image to run as non-root user

benrubson edited a comment on issue #469: GUACAMOLE-890: Security: Allow image to run as non-root user
URL: https://github.com/apache/guacamole-client/pull/469#issuecomment-605352752
 
 
   > > However, it is solving a problem that _we_ shouldn't be solving. If we move to the supported tomcat image, then it runs with a non-root user without any of these changes. Surely that is _much_ better than anything else.
   > 
   > I wholeheartedly agree.
   
   > Allowing the image to run as non-root is a worthy goal, but one that should be implemented within the Tomcat image. Once that's the case (it sounds like it already is?), (...)
   
   No, as already stated [here](https://github.com/apache/guacamole-client/pull/469#issuecomment-580483759), it's not.
   Some details again.
   Please read carefully, sorry I'll certainly repeat / reuse some arguments given above.
   
   Here is then the directory structure from the last `tomcat:8.5-jdk8`  image :
   _(as a ref base image update PR from `jre` to `jdk` is here : #485)_
   
   ```
   # ls -l /usr/local/tomcat/
   -rw-r--r-- 1 root root 19318 Mar 11 10:06 BUILDING.txt
   -rw-r--r-- 1 root root  5408 Mar 11 10:06 CONTRIBUTING.md
   -rw-r--r-- 1 root root 57011 Mar 11 10:06 LICENSE
   -rw-r--r-- 1 root root  1726 Mar 11 10:06 NOTICE
   -rw-r--r-- 1 root root  3255 Mar 11 10:06 README.md
   -rw-r--r-- 1 root root  7136 Mar 11 10:06 RELEASE-NOTES
   -rw-r--r-- 1 root root 16262 Mar 11 10:06 RUNNING.txt
   drwxr-xr-x 2 root root  4096 Mar 17 23:14 bin
   drwxr-xr-x 1 root root  4096 Mar 27 21:39 conf
   drwxr-xr-x 2 root root  4096 Mar 17 23:14 include
   drwxr-xr-x 2 root root  4096 Mar 17 23:13 lib
   drwxrwxrwx 1 root root  4096 Mar 27 21:39 logs
   drwxr-xr-x 3 root root  4096 Mar 17 23:14 native-jni-lib
   drwxrwxrwx 2 root root  4096 Mar 17 23:13 temp
   drwxr-xr-x 2 root root  4096 Mar 17 23:13 webapps
   drwxr-xr-x 7 root root  4096 Mar 11 10:04 webapps.dist
   drwxrwxrwx 2 root root  4096 Mar 11 10:03 work
   ```
   
   As you can see, `logs`, `temp` and `work` directories of the default `CATALINA_BASE` have been made world-writable.
   But still, the `webapps` directory is not world-writable, so a non-root user won't be able to link `guacamole.war` into it. So the Guacamole `start.sh` script will [fail](https://github.com/apache/guacamole-client/blob/1.1.0/guacamole-docker/bin/start.sh#L579).
   So, there's still something missing.
   
   You could then propose to ask the Tomcat image maintainers to `chmod 777 webapps`.
   But, and as you already stated [here](https://github.com/apache/guacamole-client/pull/469#discussion_r373092391) @mike-jumper, the goal (of running as non-root user) should not be achieved removing restrictions.
   In other words, from a security point of view, the method used by the image maintainers does not seem to be the good one.
   
   To confirm this, here's now the default directory structure from a Debian 10 Tomcat installation :
   ```
   # ls -l /var/lib/tomcat9/
   lrwxrwxrwx 1 root   root     12 Jun 13  2019 conf -> /etc/tomcat9
   drwxr-xr-x 2 tomcat tomcat 4096 Jun 13  2019 lib
   lrwxrwxrwx 1 root   root     17 Jun 13  2019 logs -> ../../log/tomcat9
   drwxr-xr-x 2 root   root   4096 Mar 27 22:51 policy
   drwxrwxr-x 3 tomcat tomcat 4096 Mar 27 22:51 webapps
   lrwxrwxrwx 1 root   root     19 Jun 13  2019 work -> ../../cache/tomcat9
   # ls -ld /var/log/tomcat9/ /var/cache/tomcat9/
   drwxr-x--- 3 tomcat tomcat 4096 Mar 27 22:51 /var/cache/tomcat9/
   drwxr-s--- 2 tomcat adm    4096 Mar 27 22:51 /var/log/tomcat9/
   ```
   
   As you can see here, `logs`, `work` and `webapps` directories are only writable by the `tomcat` user.
   It then does not makes sense to make them world-writable so that another user can start its application... Would be a messy / crappy configuration...
   
   On the contrary, as explained [above](https://github.com/apache/guacamole-client/pull/469#discussion_r392684827), and as explained in the [Tomcat documentation](http://tomcat.apache.org/tomcat-8.5-doc/introduction.html#CATALINA_HOME_and_CATALINA_BASE), we should, in this case, create and use a dedicated proper `CATALINA_BASE` directory structure.
   
   This is what this PR does...
   It creates the 5 runtime directories which are then readable / writable only by the user running the application. Link the application into it, and start from it...
   There's no reason why we should absolutely run the Guacamole application from the default runtime directories owned by `root`...
   
   Sincerely, it really looks like the way to go.
   We follow the Tomcat documentation, the resulting PR is really tiny, it has no side effect, no runtime or performance impact, it allows to run as non-root user, and enforces directory structure security...
   I don't see why we wouldn't go for it...
   
   Thank you again if you could then reconsider this 👍

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services