[GitHub] [guacamole-client] mike-jumper commented on a change in pull request #554: GUACAMOLE-890: Security: Allow image to run as non-root user

[GitBox <gi...@apache.org>]

mike-jumper commented on a change in pull request #554:
URL: https://github.com/apache/guacamole-client/pull/554#discussion_r532295037



##########
File path: guacamole-docker/bin/start.sh
##########
@@ -659,9 +659,15 @@ associate_header() {
 ##
 start_guacamole() {
 
+    # User-only writable CATALINA_BASE
+    export CATALINA_BASE=$GUACAMOLE_HOME/tomcat
+    for dir in logs temp webapps work; do
+        mkdir -p $CATALINA_BASE/$dir
+    done
+    cp -R /usr/local/tomcat/conf $CATALINA_BASE

Review comment:
       Will a symbolic link not work in this case?

##########
File path: guacamole-docker/bin/start.sh
##########
@@ -659,9 +659,15 @@ associate_header() {
 ##
 start_guacamole() {
 
+    # User-only writable CATALINA_BASE
+    export CATALINA_BASE=$GUACAMOLE_HOME/tomcat

Review comment:
       I don't think `CATALINA_BASE` should be a subdirectory of `GUACAMOLE_HOME`. The contents and purpose of `GUACAMOLE_HOME` are dictated by the webapp. It contains specific things in a specific structure and shouldn't be used as a general-purpose storage location.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org